{"id":250502,"date":"2026-05-20T11:40:00","date_gmt":"2026-05-20T15:40:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/20\/cve-2026-46333-local-root-privilege-escalation-and-credential-disclosure-in-the-linux-kernel-ptrace-path\/"},"modified":"2026-05-20T11:55:08","modified_gmt":"2026-05-20T15:55:08","slug":"cve-2026-46333-local-root-privilege-escalation-and-credential-disclosure-in-the-linux-kernel-ptrace-path","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/20\/cve-2026-46333-local-root-privilege-escalation-and-credential-disclosure-in-the-linux-kernel-ptrace-path\/","title":{"rendered":"CVE-2026-46333: Local Root Privilege Escalation and Credential Disclosure in the Linux Kernel ptrace Path"},"content":{"rendered":"

CVE-2026-46333: Local Root Privilege Escalation and Credential Disclosure in the Linux Kernel ptrace Path<\/a><\/p>\n

https:\/\/blog.qualys.com\/misc\/2026\/05\/20\/cve-2026-46333-local-root-privilege-escalation-and-credential-disclosure-in-the-linux-kernel-ptrace-path<\/a><\/p>\n

Publish Date: 2026-05-20 11:40:00<\/a><\/p>\n

Source Domain: blog.qualys.com<\/a><\/p>\n

The Qualys Threat Research Unit (TRU) has discovered and published the full advisory for CVE-2026-46333, a logic flaw in the Linux kernel\u2019s __ptrace_may_access() function that permits an unprivileged local user to disclose sensitive files and execute arbitrary commands as root on default installations of several major distributions. The bug has resided in mainline Linux since November 2016 (v4.10-rc1). Upstream patches and distribution updates are already available. Working exploits are circulating in public, and administrators should apply vendor kernel updates without delay.<\/p>\n

What Was Found<\/strong><\/h2>\n

During ongoing research into Linux kernel privilege boundaries, TRU identified a narrow window in which a privileged process that is dropping its credentials remains reachable through ptrace-family operations even though its dumpable flag should have closed that path. By pairing this window with the pidfd_getfd() syscall (added in v5.6-rc1, January 2020), an attacker can capture open file descriptors and authenticated inter-process channels from a dying privileged process and re-use them under their own uid.<\/p>\n

The primitive is reliable and turns any local shell into a path to root or to sensitive credential material. To characterize impact across real systems, TRU built four exploits against widely deployed userland targets:<\/p>\n