Linux kernel nine-year flaw

Qualys disclosed a Linux kernel flaw this week that it said had sat in the codebase for nearly nine years and could let local attackers read sensitive files including SSH host private keys and password hashes. The bug, tracked as CVE-2026-46333, is an authorization bypass in the kernel’s `__ptrace_may_access` function, according to Qualys’ advisory. The company said the issue was introduced in November 2016 in Linux v4.10-rc1 and can be exploited for information disclosure and arbitrary command execution as root. The Linux kernel CVE team assigned the identifier on May 15. ### Where is the bug in the kernel? Qualys said the flaw sits in the Linux kernel’s `__ptrace_may_access` path, which is used in permission checks around process inspection. In its May 20 advisory on the oss-security mailing list, the company described the issue as a “logic bug” and an “authorization bypass.” OpenCVE’s summary of the CVE says the problem involves ptrace permission checks relying on a dumpability flag in cases where the target task has no memory map. (openwall.com) That can let a process that reaches the check bypass intended restrictions under certain conditions, according to the CVE record. ### How old is it, and why does that matter? Qualys said the flaw was introduced in November 2016 by commit `bfedb58`, which landed in v4.10-rc1. (openwall.com) That places the bug in the kernel for about nine years before public disclosure in May 2026. Kernel.org’s release information shows several longterm branches remain in use across the Linux ecosystem, including 6.18, 6.12, 6.6, 6.1, 5.15 and 5.10, while many systems run distribution-maintained kernels rather than stock kernel.org builds. (app.opencve.io) That means exposure and remediation depend heavily on vendor backports and distro-specific package updates, not just the upstream version number. (openwall.com) ### What can an attacker get from it? Qualys said it built four exploits for the flaw. One disclosed `/etc/shadow`, exposing password hashes; another disclosed SSH host private keys from `/etc/ssh/*_key`; a third used `pkexec` to execute arbitrary commands as root in specific conditions; and a fourth targeted `accounts-daemon` for root command execution. (kernel.org) Infosecurity Magazine reported the flaw could let unprivileged local users read sensitive files, including SSH private keys and the system password hash. The Hacker News separately reported that the bug could lead to root command execution on major Linux distributions. Those reports matched the core findings in the Qualys advisory. (openwall.com) ### Which systems did researchers say they tested? Qualys said it successfully tested the `chage` exploit on default installations of Debian 13, Ubuntu 24.04 and 26.04, and Fedora 43 and 44. It said the `ssh-keysign` exploit worked on default Debian 13 and Ubuntu 24.04 and 26.04 installations. The company said its `pkexec` exploit worked on Debian 13, Ubuntu Desktop 24.04 and 26.04, and Fedora Workstation 43 and 44. (infosecurity-magazine.com) It also said an `accounts-daemon` exploit worked on Debian 13 and Fedora Workstation 43 and 44, while noting Ubuntu was not affected in that case because it enables Yama ptrace protection by default with `kernel.yama.ptrace_scope=1`. (openwall.com) ### What should administrators watch now? The Linux kernel CVE team assigned CVE-2026-46333 on May 15, according to a Qualys follow-up on oss-security. Since then, security coverage and proof-of-concept code have begun circulating publicly, increasing the value of checking vendor advisories and patch status on production Linux systems. Kernel.org says distribution kernels are usually supported through the operating system vendor rather than upstream kernel.org channels. (openwall.com) For most administrators, the next step is to track their distribution’s security advisory, confirm whether a backported fix has landed, and review where SSH host keys and other long-lived credentials are stored on affected systems. (kernel.org) (openwall.com)