DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-46333: CVE-2026-46333: Local Information Disclosure in Linux Kernel Process Exit Path

#security #cve #cybersecurity

CVE-2026-46333: Local Information Disclosure in Linux Kernel Process Exit Path

Vulnerability ID: CVE-2026-46333
CVSS Score: 7.1
Published: 2026-05-15

CVE-2026-46333 is a high-severity race condition in the Linux kernel process management subsystem, specifically involving the get_dumpable() logic during process exit. Local attackers can exploit this timing window to hijack file descriptors belonging to privileged SUID/SGID processes, leading to the disclosure of sensitive files such as SSH private keys and shadow password hashes.

TL;DR

A race condition in the Linux kernel process exit sequence allows local unprivileged users to steal open file descriptors from SUID processes. By targeting binaries like ssh-keysign, attackers can read root-owned files such as SSH host keys.

⚠️ Exploit Status: WEAPONIZED

Technical Details

  • Vulnerability Class: Race Condition (CWE-362)
  • Attack Vector: Local (AV:L)
  • CVSS v3.1 Score: 7.1 (High)
  • EPSS Score: 0.01% (0.44th percentile)
  • Exploit Status: Weaponized PoC Available
  • CISA KEV: Not Listed
  • Primary Target: /usr/lib/openssh/ssh-keysign

Affected Systems

  • Linux Kernel
  • Ubuntu
  • Red Hat Enterprise Linux
  • Linux Kernel Mainline: < 7.1-rc4 (Fixed in: 7.1-rc4)
  • Linux Kernel Stable (6.18.x): < 6.18.31 (Fixed in: 6.18.31)
  • Ubuntu Linux: 14.04 - 26.04 (Fixed in: TBD)

Code Analysis

Commit: 93d4ba4

Fix get_dumpable() logic for tasks without an mm

Introduced saved_dumpable cache in task_struct and enforced CAP_SYS_PTRACE checks for threads without an mm pointer.
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: High-quality C implementation of the race condition exploit targeting ssh-keysign.

Mitigation Strategies

  • Upgrade the Linux kernel to a version containing commit 93d4ba49d18e3d7fb41a9927c2d0cca5e9dfefd6.
  • Restrict ptrace access globally using the Yama security module.
  • Monitor audit logs for unexpected pidfd_getfd usage or unprivileged ptrace attempts against SUID binaries.

Remediation Steps:

  1. Verify the current kernel version using 'uname -r'.
  2. Apply updates via the distribution package manager (e.g., 'apt upgrade linux-image-generic' or 'dnf update kernel').
  3. Reboot the system to load the patched kernel.
  4. If patching is delayed, execute 'sudo sysctl -w kernel.yama.ptrace_scope=2' as a temporary measure.
  5. Persist the workaround by running 'echo "kernel.yama.ptrace_scope=2" | sudo tee /etc/sysctl.d/99-ptrace.conf'.

References

Read the full report for CVE-2026-46333 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)