Qualys Threat Research Unit (TRU) has published an advisory for CVE-2026-46333, a local logic flaw in the Linux kernel’s __ptrace_may_access() function that it says could allow an unprivileged local user to disclose sensitive files and execute arbitrary commands as root on default installations of several major distributions.
According to Qualys, the bug has been present in mainline Linux since November 2016 (v4.10-rc1). The advisory says upstream patches and distribution updates are available, and that public exploit code is circulating.
Qualys said its researchers identified a “narrow window” during which a privileged process dropping credentials could remain reachable through ptrace-related operations, and that by combining this with the pidfd_getfd() syscall (added in v5.6-rc1, January 2020), an attacker could capture open file descriptors and authenticated inter-process channels from a privileged process and re-use them under their own user ID.
To illustrate potential impact, Qualys said it built four exploits against commonly deployed userland targets, including chage (to disclose /etc/shadow), ssh-keysign (to disclose SSH host private keys), pkexec (to execute commands as root under certain conditions), and accounts-daemon (to execute commands as root). It said other set-uid, set-gid, file-capability binaries and root daemons could also be exploitable.
The advisory frames the issue as “local-only” but high impact, warning that any unprivileged shell on a vulnerable host could be enough to access credential material or escalate to root. Qualys said the affected code has been shipping for years across enterprise fleets, cloud images and container hosts.
Qualys said it privately reported the issue to the upstream Linux kernel security contact on 2026-05-11, and that a patch was committed publicly on 2026-05-14 after review. It said it then engaged the linux-distros mailing list for downstream coordination, but that an independent exploit derived from the public kernel commit later appeared, prompting discussion to move to the public oss-security list.
In its recommended actions, Qualys urged administrators to apply vendor kernel updates so systems run a fixed kernel, and to consider rotating SSH host keys and reviewing locally cached credentials on hosts where untrusted local users may have had access. As an interim measure where patching must wait, Qualys suggested raising kernel.yama.ptrace_scope to 2 (admin-only attach), noting this can block the public exploits but may disrupt some debugging and crash reporting workflows.
