Qualys Warns Linux Flaw CVE-2026-46333 Lets Local Users Gain Root After 9 Years
Updated
Updated · Qualys Blog · May 20
Qualys Warns Linux Flaw CVE-2026-46333 Lets Local Users Gain Root After 9 Years
4 articles · Updated · Qualys Blog · May 20
CVE-2026-46333 lets an unprivileged local user on default installs of Debian, Ubuntu and Fedora read sensitive files or run arbitrary commands as root, Qualys said in a full advisory released May 20.
The flaw sits in Linux kernel function __ptrace_may_access() and, when paired with pidfd_getfd(), lets attackers steal file descriptors and authenticated IPC channels from privileged processes dropping credentials.
Qualys built 4 working exploits against chage, ssh-keysign, pkexec and accounts-daemon, showing paths to /etc/shadow, SSH host private keys and full root command execution; public exploit material is already circulating.
The vulnerable code has been in mainline Linux since v4.10-rc1 in November 2016, creating roughly 9 years of exposure across enterprise fleets, cloud images and container hosts.
Upstream fixes landed on May 14 and vendor kernel updates are available; administrators are urged to patch immediately, rotate potentially exposed SSH host keys and, if delayed, set kernel.yama.ptrace_scope to 2.
With AI discovering a 'deluge' of kernel bugs, what critical system we trust will be next to fall?
This kernel bug shatters container isolation. Is zero trust now the only viable defense in the cloud?
As AI finds kernel flaws faster than humans can fix them, is the open-source security model fundamentally broken?
CVE-2026-46333 ("ssh-keysign-pwn"): Critical Linux Kernel Race Condition Threatens System Integrity Across Multiple Distros
Overview
On May 14, 2026, a critical Linux kernel vulnerability called CVE-2026-46333 ('ssh-keysign-pwn') was disclosed, allowing unprivileged local users to read sensitive root-owned files like SSH host private keys and /etc/shadow. The flaw, classified as an information disclosure issue due to improper privilege management, was found in the kernel's __ptrace_may_access() logic. Qualys led the initial disclosure and provided detection tools, releasing specific vulnerability signatures (QIDs) to help organizations identify affected systems. This vulnerability poses a serious risk to Linux environments, making immediate patching and key rotation essential for security.