Cybersecurity researchers have revealed details of a vulnerability in the Linux kernel that went undetected for nine years.
This vulnerability, tracked as CVE-2026-46333 (CVSS score: 5.5), is a case of improper privilege management that could allow unprivileged local users to disclose sensitive files or execute arbitrary commands as root on default installations of several major distributions, including Debian, Fedora, and Ubuntu. The code name is also ssh-keysign-pwn.
According to Qualys, which discovered the flaw, the issue is caused by the kernel’s __ptrace_may_access() function, which was introduced in November 2016.
“Primitives are reliable and turn any local shell into a path to root or sensitive credentials,” said Saeed Abbasi, senior manager in Qualys’ threat research unit.
Successful exploitation of this flaw could allow a local attacker to expose /etc/shadow, host private keys under /etc/ssh/*_key, and execute arbitrary commands as root via four different exploits targeting chage, ssh-keysign, pkexec, and accounts-daemon.
This disclosure follows the release of a proof-of-concept (PoC) exploit for this vulnerability last week, shortly after a public kernel commit was revealed. CVE-2026-46333 is the latest security vulnerability to be disclosed in the Linux kernel, following last month’s Copy Fail, Dirty Frag, and Fragnesia.
We recommend applying the latest kernel updates released by your Linux distribution. If the update cannot be performed immediately, a temporary workaround includes increasing “kernel.yama.ptrace_scope” to 2.
“Hosts that allow untrusted local users during the exposure period treat SSH host keys and locally cached credentials as potentially exposed,” Qualys said. “Rotate the host key and check the administrative material present in memory for the set-uid process.”
This development follows the release of a PoC for a local privilege escalation flaw called PinTheft that allows local attackers to gain root privileges on Arch Linux systems. This exploit requires the target system to have the Reliable Datagram Sockets (RDS) module loaded, io_ring enabled, a readable SUID root binary, and x86_64 support for the included payload.
“PinTheft is a Linux local privilege escalation exploit against RDS zero-copy double-free that can be turned into page cache overwriting with fixed-buffer io_uring,” Zelick and the V12 security team said.
“This bug existed in the RDS zero-copy send path. rds_message_zcopy_from_user() pins user pages one at a time. If a later page fails, the page that was already pinned by the error path is removed, and a subsequent RDS message cleanup removes it again. This causes the scatter list to persist even after the zcopy notifier is cleared. Because the entry and number of entries remain alive, one reference can be stolen from the first page for each failed zero-copy submission.
Source link
