CVE-2026-46333: Linux Kernel ptrace Race Condition — Privilege Escalation and Credential Disclosure¶
Introduction¶
CVE-2026-46333 is a critical-severity vulnerability in the Linux kernel's ptrace subsystem. A race condition in the __ptrace_may_access() function allows a local unprivileged attacker to escalate privileges to root and potentially read sensitive credential files including /etc/shadow and SSH host private keys.
The vulnerability affects Linux kernels since v4.10-rc1, meaning systems have been exposed for approximately nine years. The upstream kernel patch was committed on May 14, 2026, and distribution-specific patches are being released by major vendors.
Vulnerability Summary¶
| Field | Detail |
|---|---|
| CVE ID | CVE-2026-46333 |
| Component | Linux kernel — ptrace subsystem, __ptrace_may_access() |
| Type | Race condition (TOCTOU) |
| Impact | Local privilege escalation to root; credential disclosure |
| Severity | Critical |
| Attack vector | Local |
| Authentication required | Low-privileged local user |
| Kernels affected | v4.10-rc1 (November 2016) and later |
| Upstream fix | May 14, 2026 |
| Reboot required | Yes |
What Is Affected?¶
The vulnerability lies in the __ptrace_may_access() function within the kernel's ptrace subsystem. An attacker can exploit a race condition between process memory release and file descriptor closure via the pidfd_getfd(2) syscall, targeting SUID binaries such as ssh-keysign and chage during their exit path.
Affected distributions include:
- Red Hat Enterprise Linux 8, 9
- CentOS Stream
- Rocky Linux
- AlmaLinux
- Fedora
- Ubuntu 20.04, 22.04, 24.04
- Debian 11, 12
- SUSE Linux Enterprise Server
- CloudLinux
Any system running a kernel between v4.10 and the patched version should be considered affected.
Why This Matters¶
Beyond simple privilege escalation, this vulnerability can expose some of the most sensitive data on a Linux system:
/etc/shadow— contains password hashes for all local accounts. An attacker who reads this file can attempt offline password cracking.- SSH host private keys — disclosure of these keys allows an attacker to impersonate the server in future connections or decrypt previously captured traffic if forward secrecy was not in use.
- Arbitrary root command execution — a full compromise of the host.
This vulnerability is particularly dangerous on:
- Multi-user systems with several local accounts
- Bastion hosts and jump servers where SSH is the primary access mechanism
- CI/CD build runners that execute jobs from development teams
- Systems with shared access across teams or contractors
- Any host where a lower-privileged attacker has already gained a shell through another vulnerability
How to Check Your System¶
Check your running kernel version¶
uname -r
5.14.0-427.el9.x86_64
Check your OS release¶
cat /etc/os-release
NAME="Ubuntu"
VERSION="22.04.4 LTS (Jammy Jellyfish)"
ID=ubuntu
VERSION_ID="22.04"
Check for available kernel security updates — RHEL/Fedora/Rocky/AlmaLinux¶
sudo dnf updateinfo list cves | grep CVE-2026-46333
Check for available kernel security updates — Ubuntu/Debian¶
sudo apt update
sudo apt list --upgradable | grep linux-image
Check the ptrace scope setting on your system¶
Linux systems expose a ptrace_scope setting via /proc. While this does not prevent this specific vulnerability, reviewing it is part of a defence-in-depth posture:
cat /proc/sys/kernel/yama/ptrace_scope
1
A value of 1 restricts ptrace to parent processes. A value of 0 allows unrestricted ptrace. A restrictive setting reduces the general attack surface from ptrace-based attacks, but does not mitigate CVE-2026-46333 specifically.
How to Patch or Mitigate¶
Apply the kernel patch (required fix)¶
RHEL, Rocky Linux, AlmaLinux, CentOS Stream:
sudo dnf update kernel
sudo reboot
Ubuntu and Debian:
sudo apt update
sudo apt upgrade
sudo reboot
Fedora:
sudo dnf update kernel
sudo reboot
SUSE Linux Enterprise Server:
sudo zypper update kernel-default
sudo reboot
A reboot is required for the patched kernel to become active.
Reduce attack surface while awaiting the patch¶
While a complete mitigation without patching is not available, the following defensive measures reduce exposure:
Restrict ptrace scope system-wide:
sudo sysctl -w kernel.yama.ptrace_scope=2
Setting ptrace_scope to 2 restricts ptrace to processes with the CAP_SYS_PTRACE capability. This is a general hardening measure that reduces the attack surface for ptrace-based vulnerabilities. Make it persistent across reboots:
echo "kernel.yama.ptrace_scope = 2" | sudo tee /etc/sysctl.d/99-ptrace.conf
sudo sysctl --system
Restrict access to SUID binaries where operationally possible:
sudo chmod u-s /usr/bin/ssh-keysign
Note: Removing the SUID bit from ssh-keysign will break host-based authentication in SSH. Only apply this if you do not use that feature and have confirmed it is safe in your environment.
Do not apply SUID restrictions broadly without testing. These are supplementary measures, not replacements for patching.
How to Verify the Fix¶
After applying the kernel update and rebooting, verify the new kernel is active:
uname -r
Compare the output with the patched kernel version listed in your distribution's security advisory.
On RHEL-based systems:
sudo dnf updateinfo info security | grep CVE-2026-46333
Distribution-Specific Notes¶
Red Hat Enterprise Linux¶
Monitor Red Hat's security portal for RHSA advisories referencing CVE-2026-46333. RHEL 9 and RHEL 8 are both affected. Check for updates:
sudo dnf updateinfo list cves | grep CVE-2026-46333
CloudLinux¶
CloudLinux published mitigations and kernel updates specifically addressing CVE-2026-46333. Check the CloudLinux blog for their specific guidance, as shared hosting environments are at elevated risk.
Ubuntu¶
Check Ubuntu Security Notices for USNs referencing CVE-2026-46333. Ubuntu 20.04 LTS, 22.04 LTS, and 24.04 LTS are all affected.
Debian¶
Debian Security Advisories referencing CVE-2026-46333 are published at debian.org/security.
Common Mistakes¶
- Assuming
ptrace_scopeis a full mitigation. Restricting ptrace scope reduces general attack surface but does not fully mitigate this specific race condition exploit. Patching is the only complete fix. - Not rebooting after the kernel update. The patch is not active until the system boots into the new kernel. Always confirm with
uname -r. - Treating this as low priority because it is local-only. On multi-user systems and CI runners, local is often the first step after an initial compromise. The ability to read
/etc/shadowand SSH private keys makes this a high-impact post-exploitation tool. - Focusing only on internet-facing systems. Internal servers and build infrastructure are equally at risk if any user with a shell on those systems is untrusted.
Quick Checklist¶
- [ ] Identify all systems running kernels between v4.10 and the patched version
- [ ] Check distribution advisories for patched kernel versions
- [ ] Apply the kernel update
- [ ] Reboot each system
- [ ] Verify the patched kernel is running with
uname -r - [ ] Consider setting
kernel.yama.ptrace_scope = 2as a defence-in-depth measure on sensitive systems - [ ] Rotate SSH host keys on any system where you cannot rule out prior exploitation
Related Guides¶
- Latest Linux Vulnerabilities Administrators Should Watch
- CVE-2026-31431 Linux Kernel Privilege Escalation
- Linux Patch Management Security
- Container Security Context
References¶
- NVD — CVE-2026-46333
- Qualys Threat Research — CVE-2026-46333 Analysis
- CloudLinux — CVE-2026-46333 Mitigation and Kernel Update
Summary¶
CVE-2026-46333 is a critical race condition in the Linux kernel ptrace subsystem affecting kernels since 2016. A local unprivileged user can exploit it to gain root privileges and read sensitive files including /etc/shadow and SSH private keys. The fix is a kernel update followed by a reboot. As a supplementary measure, setting kernel.yama.ptrace_scope to 2 reduces the general ptrace attack surface while the patch is being deployed. On systems where exploitation cannot be ruled out, rotating SSH host keys is advisable.