Linux kernel flaw CVE‑2026‑46333 exposes root‑only files to any local user

What happened

A local privilege‑escalation‑type bug in the Linux kernel, identified as CVE‑2026‑46333, was disclosed on 16 May 2026. The flaw resides in the ptrace subsystem’s get_dumpable() logic. By exploiting an unchecked path, an unprivileged user can invoke ptrace on a process owned by root and read the contents of any file that the traced process can open – even if that file is marked 0600 and intended solely for the root account.

In practice, an attacker who already has a foothold on a compromised machine can retrieve:

• SSH private keys stored in ~/.ssh/id_rsa
• The /etc/shadow password hash file
• Any other credential store that runs with root privileges (e.g., GPG secret keys, Kubernetes service‑account tokens)

The vulnerability affects all LTS kernel branches from 5.10 through 7.0. Linus Torvalds merged a fix in commit 31e62c2 ("ptrace: slightly saner 'get_dumpable()' logic") on 17 May 2026, and distributions are expected to ship patches within days.

Legal basis for regulatory scrutiny

GDPR (EU)

Under Article 32 of the General Data Protection Regulation, controllers must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. A vulnerability that allows unauthorised reading of personal data – such as employee credentials – is a breach of the confidentiality principle. If the exposed data includes personal identifiers (e.g., employee names tied to SSH keys), the incident must be reported to the relevant supervisory authority within 72 hours under Article 33.

CCPA (California)

The California Consumer Privacy Act defines a “personal information breach” as the unauthorized acquisition of personal data that compromises privacy. Section 1798.150 requires businesses to notify affected California residents when such a breach is discovered. The kernel flaw can trigger this duty if the compromised files contain personal data, such as email addresses, usernames, or any information that can be linked to an individual.

Both regimes impose significant fines – up to €20 million or 4 % of global annual turnover for GDPR, and up to $7,500 per consumer per incident for CCPA – plus reputational damage.

Impact on users and companies

Stakeholder	Direct risk	Potential regulatory consequence
Individual users	Exposure of private SSH keys, enabling attackers to impersonate them on other systems.	Personal data breach under GDPR/CCPA if the keys are linked to identifiable users.
Enterprises	Attackers can move laterally, harvest credentials for privileged accounts, and exfiltrate proprietary data.	Mandatory breach notification, possible fines, and increased scrutiny from auditors.
Cloud providers	Multi‑tenant hosts running vulnerable kernels could allow one tenant to read another tenant’s secret files.	May be deemed a failure of “reasonable security” under GDPR Article 32, leading to joint liability with customers.

Even though the vulnerability is local, many threat actors gain initial access through phishing, vulnerable web applications, or supply‑chain compromises. Once inside, CVE‑2026‑46333 becomes a powerful post‑exploitation tool.

What changes are needed

Immediate steps

1. Apply the kernel patch – all distributions should push updates promptly; administrators must reboot affected hosts.
2. Audit file permissions – ensure that sensitive files are not world‑readable and that chmod 600 is enforced.
3. Review logs – look for suspicious ptrace activity (auditd can be configured to log ptrace calls).
4. Notify regulators – if personal data may have been exposed, begin breach‑notification procedures within the statutory windows.

Longer‑term hardening – the ModuleJail proposal

Jasper Nuyens’ ModuleJail script offers a pragmatic way to shrink the kernel‑module attack surface. By generating a modprobe.d blacklist that disables every module not currently loaded, the system reduces the number of code paths an attacker can abuse, including future kernel bugs that rely on optional modules.

Key characteristics of ModuleJail:

• No daemon, no persistent service – it runs once and writes a static blacklist.
• POSIX‑shell only, making it portable across distributions.
• Whitelist support, allowing sysadmins to keep modules needed for hot‑plug devices (e.g., USB audio adapters).

While ModuleJail is not a substitute for patching, it complements traditional hardening:

• Fewer modules mean fewer potential vectors for module‑loading exploits (e.g., CVE‑2021‑3493).
• Reducing the kernel’s dynamic footprint can simplify audit and compliance checks, making it easier to demonstrate “reasonable security” under GDPR Article 32.

Recommendations for organisations

• Integrate ModuleJail into the baseline image for servers that have a stable hardware profile.
• For laptops or workstations, maintain a dynamic whitelist that is refreshed when new peripherals are attached.
• Combine ModuleJail with kernel hardening flags (CONFIG_STRICT_DEVMEM, CONFIG_DEBUG_RODATA) and mandatory access controls (SELinux, AppArmor) to create defense‑in‑depth.
• Document the hardening process in the organisation’s security policy to provide evidence of compliance during audits.

Looking ahead

CVE‑2026‑46333 illustrates how a seemingly modest kernel bug can have outsized privacy implications. Regulators are increasingly treating software‑level vulnerabilities as data‑protection failures, not merely IT incidents. Companies that proactively patch, audit, and adopt systematic hardening measures—such as the lightweight ModuleJail script—will be better positioned to meet the “state‑of‑the‑art” security expectations embedded in GDPR and CCPA.

Bottom line: Apply the kernel fix immediately, assess any exposure of personal data, and consider deploying ModuleJail to reduce the attack surface for future kernel‑level flaws.

---

Sources: Linux kernel commit 31e62c2, Qualys advisory on oss‑security mailing list, KnightLi blog analysis, Jasper Nuyens’ ModuleJail repository, GDPR text (EU‑Official Journal), CCPA statutory provisions.