Qualys warns of Linux kernel flaw exposing root access

Qualys has disclosed a Linux kernel vulnerability, tracked as CVE-2026-46333, that affects default installations of several major Linux distributions.

The flaw is in the kernel's __ptrace_may_access() function and can let an unprivileged local user disclose sensitive files or run arbitrary commands as root. According to Qualys' Threat Research Unit, the vulnerable code has been present in mainline Linux since late 2016, and patches from upstream and distributors are now available.

Public exploit code is already circulating, increasing the urgency for administrators running multi-user systems, cloud workloads and developer environments where a low-privilege account could be used as a starting point for wider compromise.

How it works

Qualys found a narrow window in which a privileged process dropping its credentials can still be reached through ptrace-related operations. By combining that condition with the pidfd_getfd() system call, an attacker can capture open file descriptors and authenticated inter-process communication channels from a privileged process, then reuse them from an unprivileged account.

The research unit said the method is reliable enough to turn a local shell into root access or a path to sensitive credential material. To test the issue on mainstream distributions, it built four exploits against widely used userland targets.

The examples included chage, which can be abused to disclose /etc/shadow; ssh-keysign, which can expose SSH host private keys; pkexec, which can allow arbitrary commands to run as root; and accounts-daemon, which can also lead to arbitrary command execution as root. The tests were carried out on default installations of Debian 13, Ubuntu 24.04, Ubuntu 26.04, Fedora 43 and Fedora 44 across different scenarios.

Qualys said those four cases were selected from earlier research projects rather than from a full review of the Linux userland attack surface. It added that other set-uid, set-gid, file-capability binaries and root daemons may also be vulnerable through the same method.

Severity and scope

The flaw requires local access, but its impact can be severe. An attacker with an unprivileged shell on a vulnerable host may be able to read password hashes from /etc/shadow, extract SSH host keys or gain root execution through hijacked D-Bus links to systemd.

The risk extends well beyond traditional shared servers. Developer accounts obtained through phishing, low-privilege service accounts, constrained CI runners and users on multi-tenant systems could all provide a path to full host compromise.

The bug's long lifespan also broadens its reach. Because the affected code has been present in Linux for roughly nine years, exposure may extend across older enterprise estates, cloud images and container hosts that have not yet deployed a patched kernel.

Patches and mitigation

Kernel fixes have been committed upstream and packaged by multiple distributions, including Debian, Fedora, Red Hat, SUSE, AlmaLinux and CloudLinux. Administrators are being urged to apply vendor kernel updates and make sure the running kernel is using a fixed version.

Qualys also warned that organisations should treat SSH host keys and locally cached credentials as potentially disclosed on systems that allowed untrusted local users during the exposure period. In some cases, that could require host key rotation and a review of privileged material held in memory by set-uid processes.

For systems that cannot be patched immediately, Qualys pointed to an interim measure: setting kernel.yama.ptrace_scope to 2. That change blocks the currently public exploits because the pidfd_getfd() path depends on the same access control route.

The mitigation comes with trade-offs. It can restrict debugging tools such as gdb -p, strace -p and perf record -p for non-root users, and it may affect some browser crash-reporting setups, container debugging functions, kdump helpers, and checkpoint-and-restore tools. Qualys also said the ptrace_scope setting is effectively one-way during runtime and usually cannot be lowered without a reboot.

Vendor detection

Alongside the disclosure, Qualys published detection coverage through a series of vulnerability identifiers tied to Linux kernel updates and distributor advisories. The entries cover Debian, Fedora, Red Hat, AlmaLinux, CloudLinux and SUSE, reflecting the spread of patched packages across the Linux ecosystem.

Saeed Abbasi, Senior Manager, Threat Research Unit at Qualys, said: "The bug has resided in mainline Linux since November 2016 (v4.10-rc1). Upstream patches and distribution updates are already available. Working exploits are circulating publicly, and administrators should apply vendor kernel updates without delay."