Critical Local Root Privilege Escalation (CVE‑2026‑46333) in Linux Kernel ptrace Path Threatens Enterprise Servers
What It Is – CVE‑2026‑46333 is a logic flaw in the Linux kernel’s __ptrace_may_access() routine. It lets an unprivileged local user capture file descriptors from a privileged process that is dropping its credentials, enabling credential disclosure (e.g., /etc/shadow, SSH host keys) and arbitrary command execution as root.
Exploitability – Working exploits have been released publicly and are being circulated in the wild. The vulnerability has existed since Linux 4.10‑rc1 (Nov 2016) and is patched in current kernel releases. CVSS v3.1 is estimated at 9.8 (Critical).
Affected Products – All Linux distributions that ship an unpatched kernel and the affected set‑uid binaries, including:
- Debian 13
- Ubuntu 24.04 & 26.04
- Fedora 43 & 44 (Workstation & Server)
TPRM Impact – Any third‑party service that runs Linux containers, VMs, or bare‑metal servers is exposed to a local privilege‑escalation chain that can compromise credential stores and enable lateral movement across the supply chain.
Recommended Actions –
- Verify kernel version on all Linux assets; upgrade to the patched kernel released by each distro (≥ 5.6 for pidfd_getfd support, plus the specific back‑ported fix).
- Re‑scan for the four affected set‑uid binaries (
chage,ssh-keysign,pkexec,accounts‑daemon) and restrict their execution where not required. - Deploy Qualys QID XXXXX (or the appropriate detection rule) to continuously monitor for the exploit signatures.
- Review IAM policies for privileged processes that drop credentials; enforce “no‑dumpable” flags where possible.
- Conduct a post‑patch validation to ensure no residual back‑doors or compromised credentials remain.