A critical vulnerability in the Linux kernel remained undetected for nine years, allowing local privilege escalation on popular distributions. Security researchers from Qualys have disclosed details of CVE-2026-46333, which affects default installations of Debian, Fedora, and Ubuntu.
Cybersecurity researchers have disclosed details of a critical vulnerability in the Linux kernel that remained undetected for an astonishing nine years. The vulnerability, tracked as CVE-2026-46333 with a CVSS score of 5.5, represents a case of improper privilege management that could permit an unprivileged local user to disclose sensitive files and execute arbitrary commands as root on default installations of several major distributions.
According to Qualys, which discovered the flaw, the problem is rooted in the kernel's __ptrace_may_access() function and was introduced all the way back in November 2016. "The primitive is reliable and turns any local shell into a path to root or to sensitive credential material," explained Saeed Abbasi, senior manager of Threat Research Unit at Qualys.
The vulnerability, codenamed "ssh-keysign-pwn," poses a significant threat because it allows attackers to bypass security mechanisms designed to prevent unauthorized access to system resources. Successful exploitation could permit a local attacker to disclose sensitive files such as /etc/shadow and host private keys under /etc/ssh/*_key, as well as execute arbitrary commands as root through four different exploit vectors targeting specific components:
- chage - A utility for modifying user password expiration information
- ssh-keysign - A helper program for host-based authentication
- pkexec - A policy kit frontend for executing processes
- accounts-daemon - A system service for user account management
The disclosure comes as a proof-of-concept (PoC) exploit for the vulnerability was released last week, shortly after a public kernel commit emerged. This timing suggests that while the vulnerability was fixed in the kernel commit, the public availability of the PoC increases the risk of exploitation in systems that haven't yet applied updates.
"On hosts that have allowed untrusted local users during the exposure window, treat SSH host keys and locally cached credentials as potentially disclosed," Qualys advised in their security advisory. "Rotate host keys and review any administrative material that lived in the memory of set-uid processes."
For organizations unable to immediately apply kernel updates, Qualys recommends a temporary workaround involving raising the "kernel.yama.ptrace_scope" security parameter to 2. This setting restricts ptrace to child processes, which would prevent the exploitation of this particular vulnerability. However, administrators should be aware that this setting may affect legitimate debugging and monitoring tools that rely on ptrace functionality.
CVE-2026-46333 is the latest in a series of security vulnerabilities disclosed in the Linux kernel over the past month, including Copy Fail, Dirty Frag, and Fragnesia. This pattern of vulnerabilities highlights the complexity of securing a large, open-source codebase that has evolved over decades.
Adding to the recent wave of Linux security concerns, researchers have also disclosed details of another local privilege escalation flaw called PinTheft that specifically targets Arch Linux systems. According to Zellic and the V12 security team, PinTheft exploits a vulnerability in the Reliable Datagram Sockets (RDS) module, specifically in the zerocopy send path.
"PinTheft is a Linux local privilege escalation exploit for an RDS zerocopy double-free that can be turned into a page-cache overwrite through io_uring fixed buffers," the researchers explained. "The bug lived in the RDS zerocopy send path. rds_message_zcopy_from_user() pins user pages one at a time. If a later page faults, the error path drops the pages it already pinned, and later RDS message cleanup drops them again because the scatterlist entries and entry count remain live after the zcopy notifier is cleared. Each failed zerocopy send can steal one reference from the first page."
The PinTheft exploit requires several conditions to be met: the RDS module must be loaded, io_ring must be enabled, a readable SUID-root binary must be present, and the system must support x86_64 architecture for the included payload to work.
These disclosures serve as a reminder of the ongoing challenges in securing complex operating systems, even those with extensive peer review processes. The Linux kernel's massive codebase, comprising tens of millions of lines of code across thousands of contributors, inevitably contains vulnerabilities that may remain hidden for years before being discovered.
For system administrators, the priority should be applying available kernel updates as soon as possible. For those unable to immediately update, implementing the recommended workarounds and closely monitoring for any signs of unauthorized access is crucial. Additionally, organizations should review their access controls to minimize the potential impact of local privilege escalation vulnerabilities.
The discovery of these long-hidden vulnerabilities underscores the importance of continuous security assessment and the value of dedicated security research teams that systematically analyze complex codebases for potential flaws. As the Linux ecosystem continues to evolve, so too must the security practices surrounding it to ensure the protection of critical infrastructure worldwide.
Comments
Please log in or register to join the discussion