Researchers and vendors disclosed CVE-2026-46333, a Linux kernel flaw in __ptrace_may_access() that lets an unprivileged local user exploit a process-exit race to bypass authorization checks and steal file descriptors from privileged processes. The bug has existed since Linux v4.10-rc1, and exploitation became more practical with pidfd_getfd() introduced in v5.6-rc1. Qualys and public proof-of-concept authors showed the issue can expose /etc/shadow, leak OpenSSH host private keys through ssh-keysign, and in some cases execute commands as root via targets including chage, pkexec, and accounts-daemon on default Debian, Ubuntu, Fedora, AlmaLinux, and other distributions.
Linus Torvalds merged the upstream fix in commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a, and stable kernel updates were released across multiple branches as distributions began shipping patched packages. Public exploit code appeared almost immediately after the fix became visible, increasing the urgency for defenders to patch and reboot affected systems, rotate potentially exposed SSH host keys and other credentials, and review systems for local privilege-escalation activity. Where immediate patching is not possible, several vendors and Qualys said raising kernel.yama.ptrace_scope to 2 or 3 can block known exploit paths, although maintainers cautioned that such settings are only a temporary workaround and may disrupt debugging tools.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
13 events from the most recent confirmed update back to the earliest known activity.
Qualys released its full advisory describing CVE-2026-46333, including exploit paths involving chage, ssh-keysign, pkexec, and accounts-daemon, and noting successful testing on Debian, Ubuntu, and Fedora. The advisory followed vendor patching activity and earlier public exploit release.
On May 20, 2026, Qualys stated on oss-sec that it would publish its full advisory after Massimiliano Oldani published a detailed post about the vulnerability. The thread reflects ongoing public coordination around disclosure timing.
Mailing list participants analyzed mitigation options, including blocking pidfd_getfd, removing world-executable permission from ssh-keysign, and using Yama or eBPF hooks. Testing reported that ptrace_scope values 2 and 3 mitigated the published exploit path, while value 1 did not.
In mailing list follow-up, Qualys confirmed that setting /proc/sys/kernel/yama/ptrace_scope to 2 or 3 blocked all exploit methods it had tested, while cautioning that other theoretical exploitation methods might still exist.
Canonical and Ubuntu stated the vulnerability was publicly disclosed on May 15, 2026, affects Ubuntu releases from 14.04 LTS through 26.04 LTS pending updates, and recommended raising kernel.yama.ptrace_scope to 2 or 3 as an interim mitigation.
AlmaLinux said AlmaLinux 9 and 10 were vulnerable and reliably exploitable with public PoCs, while AlmaLinux 8 was also being patched. It published patched kernels to its testing repository and recommended ptrace_scope 2 or 3 as a temporary workaround.
The Linux kernel CVE announcement described the flaw and stated that fixes were released across multiple stable and mainline kernel branches. It recommended updating to the latest stable kernel release rather than cherry-picking commits.
The Linux kernel CVE team assigned identifier CVE-2026-46333 to the vulnerability. This assignment was confirmed in follow-up mailing list discussion and kernel CVE announcement material.
Qualys publicly disclosed the Linux kernel __ptrace_may_access() flaw on oss-security, noting that public exploits were already available and that it would temporarily withhold its full advisory to give vendors and users time to patch.
A public GitHub repository published proof-of-concept exploitation for stealing SSH host keys and /etc/shadow via the mm-NULL bypass plus pidfd_getfd. Reporting says the PoC appeared shortly after the public kernel commit.
The Linux kernel upstream merged commit 31e62c2ebbfd, changing dumpability handling when task->mm becomes NULL during process exit. Multiple later advisories cite this as the mainline fix for CVE-2026-46333.
Qualys reported the __ptrace_may_access() logic bug to the Linux kernel security team. Later advisories identify this private report as the start of coordinated disclosure for CVE-2026-46333.
Jann Horn submitted RFC patch series on LKML addressing dumpability tracking for tasks, which later reporting identified as targeting the same underlying flaw behind CVE-2026-46333.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
33 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourceseclists.org
Open sourceblog.qualys.com
Open sourceseclists.org
Open sourcecysecurity.news
Open sourceopennet.me
Open sourcelore.kernel.org
Open sourcelore.kernel.org
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.