Qualys warns of Linux kernel flaw exposing root access
Qualys warns of Linux kernel flaw exposing root access
https://securitybrief.com.au/story/qualys-warns-of-linux-kernel-flaw-exposing-root-access
Publish Date: 2026-05-21 18:38:00
Source Domain: securitybrief.com.au
Qualys has disclosed a Linux kernel vulnerability, tracked as CVE-2026-46333, that affects default installations of several major Linux distributions.
The flaw is in the kernel’s __ptrace_may_access() function and can let an unprivileged local user disclose sensitive files or run arbitrary commands as root. According to Qualys’ Threat Research Unit, the vulnerable code has been present in mainline Linux since late 2016, and patches from upstream and distributors are now available.
Public exploit code is already circulating, increasing the urgency for administrators running multi-user systems, cloud workloads and developer environments where a low-privilege account could be used as a starting point for wider compromise.
How it works
Qualys found a narrow window in which a privileged process dropping its credentials can still be reached through ptrace-related operations. By combining that condition with the pidfd_getfd() system call, an attacker can capture open file descriptors and authenticated inter-process communication channels from a privileged process, then reuse them from an unprivileged account.
The research unit said the method is reliable enough to turn a local shell into root access or a path to sensitive credential material. To test the issue on mainstream distributions, it built four exploits against widely used userland targets.
The examples included chage, which can be abused to disclose /etc/shadow; ssh-keysign, which can expose SSH host private keys; pkexec, which can allow arbitrary commands to run as root; and accounts-daemon, which can also lead to arbitrary command execution as root. The tests were carried out on default installations of Debian 13, Ubuntu 24.04, Ubuntu 26.04, Fedora 43 and Fedora 44 across different scenarios.
Qualys said those four cases were selected from earlier research projects rather than from a full review of the Linux userland attack surface. It added that other set-uid, set-gid, file-capability…
