The problem for years lurked in the original files and bypassed even strict revisions of the code.
For nine years, a Linux kernel remained an error that could turn ordinary local access into full control of the system. The problem affects the standard installations of popular distributions and has already received a working example of operation, so administrators will have to quickly check the updates and possible traces of leaks.
Vulnerability received the identifier CVE-2026-46333 and a score of 5.5 points on the CVSS scale. The Qualys team has linked problem with incorrect privilege management in the function __ptrace_may_access(). The mistake appeared in November 2016 and for a long time went unnoticed.
According to Qualys, a local user without extended rights could access sensitive files and run arbitrary commands with root rights. Among the affected systems are the standard Debian, Fedora and Ubuntu installations. The vulnerability is also known as the ssh-keysign-pwn.
Said Abbasi of Qualys explained that the found mechanism works reliably and allows you to turn the usual local shell into a path to root access or to closed accounting data. A successful attack could reveal the contents /etc/shadow, the closed SSH host keys from /etc/ssh/_key, and also allow commands to perform commands through attacks on chage, sshkeysign, tributexec and-daemon attacks.
Information about the problem appeared shortly after the publication of a working PoC-exploiter and an open change in the code of the kernel. CVE-2026-46333 was another serious discovery in Linux in the last month after Copy Fail, Dirty Frag and Fragnesia.
Qualys recommends setting fresh kernel updates from distribution providers. If you can not update quickly, an increase in the value of kernel.yama.ptrace_scope to 2 may be a temporary measure.
On servers where untrusted local users worked during the existence of the error, you should consider the host SSH keys and locally stored accounts potentially disclosed, then replace the keys and check the administrative data that could be in the memory of set-udi processes.
For nine years, a Linux kernel remained an error that could turn ordinary local access into full control of the system. The problem affects the standard installations of popular distributions and has already received a working example of operation, so administrators will have to quickly check the updates and possible traces of leaks.
Vulnerability received the identifier CVE-2026-46333 and a score of 5.5 points on the CVSS scale. The Qualys team has linked problem with incorrect privilege management in the function __ptrace_may_access(). The mistake appeared in November 2016 and for a long time went unnoticed.
According to Qualys, a local user without extended rights could access sensitive files and run arbitrary commands with root rights. Among the affected systems are the standard Debian, Fedora and Ubuntu installations. The vulnerability is also known as the ssh-keysign-pwn.
Said Abbasi of Qualys explained that the found mechanism works reliably and allows you to turn the usual local shell into a path to root access or to closed accounting data. A successful attack could reveal the contents /etc/shadow, the closed SSH host keys from /etc/ssh/_key, and also allow commands to perform commands through attacks on chage, sshkeysign, tributexec and-daemon attacks.
Information about the problem appeared shortly after the publication of a working PoC-exploiter and an open change in the code of the kernel. CVE-2026-46333 was another serious discovery in Linux in the last month after Copy Fail, Dirty Frag and Fragnesia.
Qualys recommends setting fresh kernel updates from distribution providers. If you can not update quickly, an increase in the value of kernel.yama.ptrace_scope to 2 may be a temporary measure.
On servers where untrusted local users worked during the existence of the error, you should consider the host SSH keys and locally stored accounts potentially disclosed, then replace the keys and check the administrative data that could be in the memory of set-udi processes.
