The Qualys Threat Research Unit (TRU) has discovered and published the full advisory for CVE-2026-46333, a logic flaw in the Linux kernel’s __ptrace_may_access() function that permits an unprivileged local user to disclose sensitive files and execute arbitrary commands as root on default installations of several major distributions. The bug has resided in mainline Linux since November 2016 (v4.10-rc1). Upstream patches and distribution updates are already available. Working exploits are circulating in public, and administrators should apply vendor kernel updates without delay. What Was Found During ongoing research into Linux kernel privilege boundaries, TRU identified a narrow window in which a privileged process that is dropping its credentials remains reachable through ptrace-family operations even though its dumpable flag should have closed that path. By pairing this window with the pidfd_getfd() syscall (added in v5.6-rc1, January 2020), an attacker can capture open file descriptors and authenticated inter-process channels from a dying privileged process and re-use them under their own uid. The primitive is reliable and turns any local shell into a path to root or to sensitive credential material. To characterize impact across real systems, TRU built four exploits against widely deployed userland targets: chage (set-uid-root or set-gid-shadow): discloses /etc/shadow. Tested on default installs of Debian 13, Ubuntu 24.04, Ubuntu 26.04, Fedora 43, and Fedora 44. ssh-keysign (set-uid-root): discloses host private keys under /etc/ssh/*_key. Tested on default installs of Debian 13, Ubuntu 24.04, and Ubuntu 26.04. pkexec (set-uid-root): executes arbitrary commands as root. The attacker can be remotely logged in via sshd provided an allow_active session is present at the console. Tested on default installs of Debian 13, Ubuntu Desktop 24.04 and 26.04, and Fedora Workstation 43 and 44. accounts-daemon (root daemon): executes arbitrary commands as root. Tested on default installs of Debian 13, Fedora Workstation 43, and Fedora Workstation 44. These four were drawn from prior research projects rather than an exhaustive sweep of the userland attack surface. Other set-uid, set-gid, file-capability binaries, and root daemons may be exploitable through the same primitive. Qualys developed four working exploits for CVE-2026-46333, covering chage, ssh-keysign, pkexec, and accounts-daemon. As part of the coordinated disclosure process, we withheld them publicly while distributions completed their packaging. Understanding the Potential Impact, Severity and Scope CVE-2026-46333 is local-only, but the impact is severe. Local does not mean low priority. Any unprivileged shell on a vulnerable host is enough to read /etc/shadow, exfiltrate SSH host private keys, or execute arbitrary commands as root through hijacked dbus connections to systemd. In practice, the distinction between an unprivileged foothold and full host compromise collapses: a phished developer account, a constrained CI runner, a low-privilege service account, or a shared multi-tenant host all become direct paths to root. With the vulnerable code shipping in mainline kernels since v4.10-rc1 (November 2016), the historical exposure spans nine years of enterprise fleets, cloud images, and container hosts. Coordinated Disclosure and Why We Are Publishing Now Qualys followed responsible disclosure throughout. Qualys reported the vulnerability privately to the upstream Linux kernel security contact on 2026-05-11. Over the following three days the kernel security team developed and reviewed the fix, CVE-2026-46333 was assigned, and the patch was committed publicly on 2026-05-14. We then engaged the linux-distros mailing list, the standard pre-disclosure channel for downstream coordination. A short time later, an independent exploit derived from the public kernel commit appeared. With the embargo no longer providing protection, the list maintainers asked us to move the discussion to the public oss-security list. We posted a minimal notice at that point to preserve operational safety while distributions finished their patches and packaging work. Vendor patches from multiple distributions shipped over the following days. Qualys is releasing the complete advisory today because the underlying technique is novel, the public picture is now incomplete and uneven, and independent researchers have already achieved local root and published exploit material. Doing so gives defenders, detection engineers, and downstream maintainers a single authoritative reference for the flaw, the race against do_exit(), the role of pidfd_getfd(), and the four exploitation case studies. Immediate Action Apply the kernel update from your distribution and follow their guidelines for affected systems so the running kernel reflects the fix. Patched packages are available from Debian, Fedora, and other major vendors. On hosts that have allowed untrusted local users during the exposure window, treat SSH host keys and locally cached credentials as potentially disclosed. Rotate host keys and review any administrative material that lived in the memory of set-uid processes. Interim mitigation where patching must wait: raise kernel.yama.ptrace_scope to 2 (admin-only attach). This blocks the public exploits, since their pidfd_getfd(2) path is gated by __ptrace_may_access(). Refer to each affected distribution’s security advisory (Red Hat, SUSE, Debian, Fedora, AlmaLinux, CloudLinux, and others) for the authoritative fixed versions and any vendor-specific mitigations. Technical Details of the CVE-2026-46333: You can find the technical details of this vulnerability at: https://cdn2.qualys.com/advisory/2026/05/20/cve-2026-46333-ptrace.txt Qualys QID Coverage for Detecting CVE-2026-46333: Qualys has released the following QIDs listed in the table below with Vulnerability Signatures versions VULNSIGS-2_6_607-2, VULNSIGS-2.6.608-2, VULNSIGS-2.6.607-2, and VULNSIGS-2.6.605-7. Additional QIDs will be released as they become available. QID TITLE 387392 Linux Kernel Local Privilege Escalation Vulnerability (CVE-2026-46333) 6050281 Red Hat Security Advisory for CVE-2026-46333 (Unfixed Vulnerability) 6050650 Red Hat Update for kernel (RHSA-2026:19521) 6050671 Red Hat Update for kernel (RHSA-2026:19540) 944317 AlmaLinux Security Update for kernel (ALSA-2026:A009) 944318 AlmaLinux Security Update for kernel (ALSA-2026:A010) 944320 AlmaLinux Security Update for kernel (ALSA-2026:A008) 6683237 CloudLinux 8 Security Update for kernel (CLSA-2026:A008) 6683240 CloudLinux 9 Security Update for kernel (CLSA-2026:A009) 762598 SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2026:1909-1) 762604 SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2026:1907-1) 762614 SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2026:1908-1) 762618 SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2026:1904-1) 6276533 Debian Security Update for linux (CVE-2026-46333) 6277424 Debian Security Update for linux (CVE-2026-46333) 288719 Fedora Security Update for kernel (FEDORA-2026-8b4a8d18d2) 288720 Fedora Security Update for kernel (FEDORA-2026-03be3dc34b) Acknowledgments Qualys thanks the Linux kernel security team, in particular Linus Torvalds, Christian Brauner, Kees Cook, and Oleg Nesterov, for the rapid upstream fix; the distribution security teams, in particular Solar Designer, Sam James, and Salvatore Bonaccorso, who carried the patch downstream under unusually compressed conditions; and the maintainers of the linux-distros and oss-security lists.