Cybersecurity researchers have disclosed particulars of a vulnerability within the Linux kernel that remained undetected for 9 years.
The vulnerability, tracked as CVE-2026-46333 (CVSS rating: 5.5), is a case of improper privilege administration that would allow an unprivileged native consumer to reveal delicate information and execute arbitrary instructions as root on default installations of a number of main distributions like Debian, Fedora, and Ubuntu. It is also codenamed ssh-keysign-pwn.
In line with Qualys, which found the flaw, the issue is rooted within the kernel’s __ptrace_may_access() perform and was launched in November 2016.
“The primitive is dependable and turns any native shell right into a path to root or to delicate credential materials,” Saeed Abbasi, senior supervisor of Menace Analysis Unit at Qualys, stated.
Profitable exploitation of the flaw might allow an area attacker to reveal /and many others/shadow and host personal keys below /and many others/ssh/*_key, in addition to execute arbitrary instructions as root by 4 totally different exploits focusing on chage, ssh-keysign, pkexec, and accounts-daemon.
The disclosure comes as a proof-of-concept (PoC) exploit for the vulnerability was launched final week, shortly after a public kernel commit emerged. CVE-2026-46333 is the most recent security vulnerability disclosed within the Linux kernel after Copy Fail, Soiled Frag, and Fragnesia over the previous month.
It is beneficial to use the most recent kernel replace launched by Linux distributions. If the updates can’t be carried out instantly, momentary workarounds embody elevating “kernel.yama.ptrace_scope” to 2.
“On hosts which have allowed untrusted native customers throughout the publicity window, deal with SSH host keys and regionally cached credentials as doubtlessly disclosed,” Qualys stated. “Rotate host keys and evaluate any administrative materials that lived within the reminiscence of set-uid processes.”
The event follows the discharge of a PoC for an area privilege escalation flaw referred to as PinTheft that enables native attackers to achieve root privileges on Arch Linux methods. The exploit requires the Dependable Datagram Sockets (RDS) module to be loaded on the goal system, io_ring to be enabled, a readable SUID-root binary, and x86_64 help for the included payload.
“PinTheft is a Linux native privilege escalation exploit for an RDS zerocopy double-free that may be changed into a page-cache overwrite by io_uring fastened buffers,” Zellic and the V12 security staff stated.
“The bug lived within the RDS zerocopy ship path. rds_message_zcopy_from_user() pins consumer pages one after the other. If a later web page faults, the error path drops the pages it already pinned, and later RDS message cleanup drops them once more as a result of the scatterlist entries and entry rely stay dwell after the zcopy notifier is cleared. Every failed zerocopy ship can steal one reference from the primary web page.”
