CVE-2026-46333: How to Fix the Linux Kernel Privilege Escalation Vulnerability

A nine-year-old flaw in the Linux kernel lets any ordinary local user escalate their privileges to root and read sensitive system files. Security researchers at Qualys disclosed CVE-2026-46333 in May 2026 after building four working exploits that confirmed the issue on default installations of Debian, Ubuntu, and Fedora. Patches are now available from all major distributions, and you need to apply them immediately.

CVE-2026-46333: How to Fix the Linux Kernel Privilege Escalation Vulnerability

This guide explains what CVE-2026-46333 is, which systems it affects, how to patch it, and what to do if you cannot patch right away.

What Is CVE-2026-46333?

CVE-2026-46333 is a privilege escalation vulnerability in the Linux kernel’s __ptrace_may_access() function. The flaw has been present in mainline Linux since kernel version 4.10-rc1, released in November 2016.

The bug works by exploiting a narrow race condition during process shutdown. When a privileged process begins to exit, Linux should immediately block other processes from inspecting it. CVE-2026-46333 means that block happens a fraction of a second too late. During that tiny window, an unprivileged attacker can use the pidfd_getfd() system call (available since kernel 5.6) to grab open file descriptors and authenticated connections from the dying privileged process.

The practical impact is severe:

  • Read /etc/shadow (which contains password hashes for all system users)
  • Steal SSH host private keys stored under /etc/ssh/*_key
  • Execute arbitrary commands as root through hijacked dbus connections
  • Gain full root access on the affected system

The vulnerability carries a CVSS score of 5.5 (medium), but that rating reflects the local-only nature of the attack. An attacker who already has a low-privilege shell on your server can use this to fully compromise the system. In cloud environments, shared hosting, CI runners, and multi-tenant servers, that scenario is common.

Which Linux Distributions Are Affected?

CVE-2026-46333 affects any Linux system running a kernel version between 4.10 and the patched release. Qualys confirmed working exploits on these default installations:

DistributionTested Versions
Debian13
Ubuntu24.04, 26.04
Fedora43, 44
Red Hat Enterprise LinuxMultiple versions
SUSE Enterprise LinuxMultiple versions
AlmaLinuxMultiple versions
CloudLinux8, 9

If your server runs any of these distributions and has not received the latest kernel update, treat it as vulnerable.

How Does the CVE-2026-46333 Exploit Work?

Understanding the mechanism helps you choose the right mitigation.

The Linux kernel tracks whether a process is “dumpable,” which controls whether other processes can attach to it via ptrace. When a privileged process (such as ssh-keysign or pkexec) drops its credentials and starts to exit, the kernel sets its memory map (mm) to NULL. At this exact moment, the dumpable check inside __ptrace_may_access() skips its normal branch because mm is NULL.

The function then falls through to the YAMA Linux Security Module hook. At the default ptrace_scope=1, YAMA allows access when the attacker is the parent of the privileged child they spawned. This gives the attacker a valid window to call pidfd_getfd() and capture the dying process’s open file descriptors.

Qualys built four distinct exploits targeting:

  1. chage (set-uid-root): Reads /etc/shadow on Debian 13, Ubuntu 24.04, Ubuntu 26.04, Fedora 43, and Fedora 44.
  2. ssh-keysign (set-uid-root): Steals SSH host private keys on Debian 13, Ubuntu 24.04, and Ubuntu 26.04. This exploit variant is also called ssh-keysign-pwn.
  3. pkexec (set-uid-root): Runs arbitrary commands as root on Debian 13, Ubuntu Desktop 24.04, Ubuntu Desktop 26.04, Fedora Workstation 43, and Fedora Workstation 44.
  4. accounts-daemon (root daemon): Runs arbitrary commands as root on Debian 13, Fedora Workstation 43, and Fedora Workstation 44.

Public proof-of-concept exploit code is already circulating. Do not wait to apply the fix.

How to Fix CVE-2026-46333: Apply the Kernel Patch

The fastest and most complete fix is to update your kernel to the patched version released by your distribution.

Debian and Ubuntu

sudo apt update && sudo apt upgrade -y
sudo reboot

After rebooting, verify your running kernel version:

uname -r

Check your distribution’s security advisory to confirm the patched kernel version number for your release.

Fedora

sudo dnf upgrade --refresh -y
sudo reboot

Red Hat Enterprise Linux / AlmaLinux / CloudLinux

sudo dnf update kernel -y
sudo reboot

Red Hat has released patches under advisories RHSA-2026:19521 and RHSA-2026:19540. AlmaLinux patches are available under ALSA-2026:A008, ALSA-2026:A009, and ALSA-2026:A010.

SUSE Enterprise Linux

sudo zypper refresh && sudo zypper update kernel-default -y
sudo reboot

SUSE patches are available under advisories SUSE-SU-2026:1904-1 through SUSE-SU-2026:1909-1.

Interim Fix: Raise ptrace_scope to 2

If you cannot reboot or patch immediately due to operational constraints, this mitigation blocks the known public exploits right now. Raising kernel.yama.ptrace_scope to 2 forces the YAMA LSM to require CAP_SYS_PTRACE for any process attachment. An unprivileged attacker does not have that capability, so pidfd_getfd() returns -EPERM and the exploit chain breaks.

Apply the mitigation immediately (without reboot):

sudo sysctl -w kernel.yama.ptrace_scope=2

Make it persistent across reboots:

echo 'kernel.yama.ptrace_scope = 2' | sudo tee /etc/sysctl.d/99-ptrace-scope.conf
sudo sysctl --system

Important: ptrace_scope can only move up at runtime, not down. Once you raise it to 2, you need a full system reboot to lower it again.

Side Effects of Setting ptrace_scope=2

This setting changes how process tracing works system-wide. Review these impacts before you apply it to a production system:

  • Non-root users can no longer attach gdb -p, strace -p, or perf record -p to processes they did not start themselves using PR_SET_PTRACER.
  • Browser crash-reporter sandboxes that use cross-process ptrace may stop working. Firefox and Chromium handle this gracefully, but other applications may not.
  • Some container debugging tools, kdump userspace helpers, and CRIU (Checkpoint and Restore in Userspace) may break.

This mitigation is a temporary measure. Apply the kernel patch as soon as your change management process allows.

Should You Rotate Your SSH Keys?

If your server allowed untrusted local users at any point between November 2016 and today, you should treat your SSH host keys and locally cached credentials as potentially compromised.

Take these steps:

  1. Rotate SSH host keys on the affected server.
  2. Rotate any administrative credentials that were active in memory during the exposure window.
  3. Review sessions and access logs for suspicious activity from low-privilege accounts.
  4. Audit sudo and setuid binaries on the system for any unexpected behavior.

If you run a managed cloud instance or use a hosting provider, check whether your provider has issued any specific guidance for CVE-2026-46333 on their platform.

How to Check If Your System Is Still Vulnerable

Run this command to see your current kernel version:

uname -r

Then compare it against the patched version listed in your distribution’s security advisory. You can also check the current ptrace_scope value:

cat /proc/sys/kernel/yama/ptrace_scope

A value of 2 means the interim mitigation is active. A patched and rebooted kernel is still the only complete fix.

Frequently Asked Questions

Is CVE-2026-46333 being actively exploited?

Yes. Qualys reported the vulnerability to the Linux kernel security team on May 11, 2026. The upstream kernel patch landed on May 14, 2026. A public proof-of-concept exploit derived from that commit appeared shortly after, breaking the disclosure embargo. Public exploit code is circulating now.

Does this affect cloud servers and VMs?

Yes. Any cloud server, virtual machine, or container host running a vulnerable kernel version is at risk. The attack requires a local unprivileged shell, which is a realistic scenario in cloud environments with multiple users, CI systems, or compromised service accounts.

Is a CVSS score of 5.5 low enough to ignore?

No. The medium CVSS score reflects the local-only attack vector, not the severity of the outcome. A successful exploit gives an attacker complete root access to the system. Local privilege escalation vulnerabilities with public exploit code require the same urgency as critical-rated remote vulnerabilities.

What is the relationship between CVE-2026-46333 and Dirty Frag?

They are separate Linux kernel vulnerabilities disclosed around the same time. CVE-2026-46333 (also called ssh-keysign-pwn) is a ptrace privilege escalation flaw. Dirty Frag involves the IPv4/IPv6 fragmentation subsystem and chains two earlier CVEs (CVE-2026-43284 and CVE-2026-43500). Both require separate patches.

Will the fix break my applications?

The kernel patch itself has no application-level side effects. The interim ptrace_scope=2 mitigation may affect debugging tools and container utilities as described above.

Related Security Guides

Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply