HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Critical Local Root Privilege Escalation (CVE‑2026‑46333) in Linux Kernel ptrace Path Threatens Enterprise Servers

A logic error in the Linux kernel’s ptrace path (CVE‑2026‑46333) enables unprivileged users to steal credentials and execute commands as root on default installations of major distros. Public exploits are circulating, making immediate kernel patching a TPRM priority.

LiveThreat™ Intelligence · 📅 May 20, 2026· 📰 blog.qualys.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
5 recommended
📰
Source
blog.qualys.com

Critical Local Root Privilege Escalation (CVE‑2026‑46333) in Linux Kernel ptrace Path Threatens Enterprise Servers

What It Is – CVE‑2026‑46333 is a logic flaw in the Linux kernel’s __ptrace_may_access() routine. It lets an unprivileged local user capture file descriptors from a privileged process that is dropping its credentials, enabling credential disclosure (e.g., /etc/shadow, SSH host keys) and arbitrary command execution as root.

Exploitability – Working exploits have been released publicly and are being circulated in the wild. The vulnerability has existed since Linux 4.10‑rc1 (Nov 2016) and is patched in current kernel releases. CVSS v3.1 is estimated at 9.8 (Critical).

Affected Products – All Linux distributions that ship an unpatched kernel and the affected set‑uid binaries, including:

  • Debian 13
  • Ubuntu 24.04 & 26.04
  • Fedora 43 & 44 (Workstation & Server)

TPRM Impact – Any third‑party service that runs Linux containers, VMs, or bare‑metal servers is exposed to a local privilege‑escalation chain that can compromise credential stores and enable lateral movement across the supply chain.

Recommended Actions

  • Verify kernel version on all Linux assets; upgrade to the patched kernel released by each distro (≥ 5.6 for pidfd_getfd support, plus the specific back‑ported fix).
  • Re‑scan for the four affected set‑uid binaries (chage, ssh-keysign, pkexec, accounts‑daemon) and restrict their execution where not required.
  • Deploy Qualys QID XXXXX (or the appropriate detection rule) to continuously monitor for the exploit signatures.
  • Review IAM policies for privileged processes that drop credentials; enforce “no‑dumpable” flags where possible.
  • Conduct a post‑patch validation to ensure no residual back‑doors or compromised credentials remain.

Source: Qualys Blog – CVE‑2026‑46333 Advisory

📰 Original Source
https://blog.qualys.com/vulnerabilities-threat-research/2026/05/20/cve-2026-46333-local-root-privilege-escalation-and-credential-disclosure-in-the-linux-kernel-ptrace-path

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →