CVE-2026-46333

Published May 15, 2026

Last updated 4 days ago

CVSS high 7.1
Linux Kernel
Ubuntu
Port (22)
Ptrace

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-46333, publicly known as "ssh-keysign-pwn," is a local information disclosure vulnerability found in the Linux kernel. The flaw resides within the `__ptrace_may_access()` function, which is part of the kernel's `ptrace` access-check logic. This vulnerability arises during the process exit sequence of privileged programs. Specifically, a brief window exists where the kernel releases a process's memory before closing its file descriptors. An unprivileged local user can exploit this timing window to intercept and read sensitive files that were opened by the privileged process, such as SSH host private keys or the contents of `/etc/shadow`.

Description
In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional "drop capabilities" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached "last dumpability" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.
Source
416baaa9-dc9f-4396-8d5f-8c081fb06d67
NVD status
Modified
Products
linux_kernel, debian_linux

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.1
Impact score
5.2
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Severity
HIGH

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-269
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
CWE-269

Social media

Hype score
Not currently trending
  1. If you’re looking to reduce your attack surface without the weekend emergency maintenance, start by simplifying your configurations. Here's how we're mitigating CVE-2026-46333, CVE-2026-49160, and CVE-2026-53435. https://t.co/vafkiqM0jA

    @vicariusltd

    2 Jul 2026

    61 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2026-46333. Source: X search for CVE-2026 critical Posted: 2026-05-18T00:48:00.000Z Likes: 24

    @lyrie_ai

    6 Jun 2026

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  3. Oracle issued advisories for Oracle Linux 7, 8 and 9 fixing CVE-2026-46300 and CVE-2026-46333 that allow denial of service and privilege escalation in kernels 5.4, 5.15 and 6.12, according to Oracle. https://t.co/cMIsksTcuc

    @threatcluster

    4 Jun 2026

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Top 5 Trending CVEs: 1 - CVE-2026-8732 2 - CVE-2026-23631 3 - CVE-2026-25243 4 - CVE-2026-46333 5 - CVE-2026-23479 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    4 Jun 2026

    94 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  5. 🔒 Security & Open Source Roundup — May 31, 2026 ━━━━━━━━━━━━━━━━━━━━━━ 1️⃣ 9-Year-Old Linux Kernel Bug Grants Local Root on Debian, Ubuntu & Fedora @TheHackersNews reveals CVE-2026-46333 — a long-standing flaw buried

    @TraffAlex

    30 May 2026

    32 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. While I wait for my agents to finish some work, a short post on the part of CVE-2026-46333 I find most interesting: Unix design bug. Imperfect analogies and cute/cringe images included. Privileged Unix code lives like this: a marionette whose strings hang down into the https://t

    @julianor

    30 May 2026

    414 Impressions

    2 Retweets

    3 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  7. Linux kernel の脆弱性 CVE-2026-46333 が FIX:SSH キー窃取や root 権限昇格の恐れ https://t.co/OLZ6pyFXca Linux kernel の脆弱性 CVE-2026-46333 は、プロセス同士のアクセス権を検証する __ptrace_may_access()

    @iototsecnews

    28 May 2026

    82 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. A new vulnerability, CVE-2026-46333 with a CVSS score of 5.5, has been identified. Organizations should assess their exposure and update defenses accordingly. #CyberSecurity #Vulnerability

    @jlabernathy

    24 May 2026

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. CVE-2026-46333: Local Root Privilege Escalation and Credential Disclosure in the Linux Kernel ptrace Path | Qualys https://t.co/gR2vnOB9hm

    @ly2314

    23 May 2026

    47 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. 1/ From all the recent writeups, I pick a few to read carefully and enjoy while drinking 🧉 and eating chipa, the way I did before with every (yes) Bugtraq post. This week: Qualys ptrace LPE, CVE-2026-46333 — no AI Linux PDF RCE, CVE-2026-46529 — human+AI Both are worth re

    @julianor

    23 May 2026

    3378 Impressions

    8 Retweets

    42 Likes

    19 Bookmarks

    1 Reply

    0 Quotes

  11. 🏮 Hot off the press: 3 new vulnerability research articles that everyone should read: - art-template npm compromise delivered a Coruna-like iOS exploit kit (Critical 🔴) - CVE-2025-34291: Langflow CORS and refresh-token chain reaches RCE (Critical 🔴) - CVE-2026-46333: Lin

    @asadeddin

    22 May 2026

    383 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  12. LinkedIn 🏮 Hot off the press: 3 new vulnerability research articles that everyone should read: - art-template npm compromise delivered a Coruna-like iOS exploit kit (Critical 🔴) - CVE-2025-34291: Langflow CORS and refresh-token chain reaches RCE (Critical 🔴) - CVE-2026-4

    @asadeddin

    22 May 2026

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. Top 5 Trending CVEs: 1 - CVE-2026-42945 2 - CVE-2026-46333 3 - CVE-2026-9082 4 - CVE-2026-31431 5 - CVE-2025-34291 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    22 May 2026

    267 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. Top 5 Trending CVEs: 1 - CVE-2026-42945 2 - CVE-2026-46333 3 - CVE-2026-0265 4 - CVE-2020-2033 5 - CVE-2026-33278 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    21 May 2026

    145 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  15. ssh-keysign-pwn (CVE-2026-46333) Patches Released: https://t.co/wRIaDUPCuo

    @CertDepot

    20 May 2026

    65 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. CVE-2026-46333: Local Root Privilege Escalation and Credential Disclosure in the Linux Kernel ptrace Path: The Qualys Threat Research Unit (TRU) has discovered and published the full advisory for CVE-2026-46333, a logic flaw in the Linux kernel’s… https://t.co/tNYuqpUOw3 http

    @shah_sheikh

    20 May 2026

    94 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. Top 5 Trending CVEs: 1 - CVE-2020-17103 2 - CVE-2026-8507 3 - CVE-2026-3854 4 - CVE-2026-46333 5 - CVE-2025-54957 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    20 May 2026

    382 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    1 Quote

  18. CVE-2026-46333 (ssh-keysign-pwn) Linux kernel vulnerability mitigations https://t.co/aYa5vrl1DV #ubuntu CVE-2026-46333 (ssh-keysign-pwn)Смягчение последствий уязвимости ядра Linux.

    @nicholas198603

    20 May 2026

    79 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  19. AI Discovers CVE-2026-46333 Linux Kernel Vulnerability #devopsish https://t.co/8ElwqTsKFi https://t.co/itQsFI8TS9

    @ChrisShort

    19 May 2026

    148 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. Linux kernel ptrace exit race ("ssh-keysign-pwn") CVE: CVE-2026-46333 PT ID: PT-2026-41298 Vendor: Linux Product: Linux CVSS: n/a Credits: n/a Description: A local privilege escalation flaw in the Linux kernel caused by a race condition in the ptrace access check during process

    @ptdbugs

    18 May 2026

    224 Impressions

    1 Retweet

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  21. Top 5 Trending CVEs: 1 - CVE-2026-41089 2 - CVE-2023-38606 3 - CVE-2020-17103 4 - CVE-2026-46333 5 - CVE-2026-20182 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    18 May 2026

    159 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  22. Linux Kernel ptrace Exit-race / ssh-keysign-pwn Vulnerability (CVE-2026-46333) https://t.co/uDfkrTWygo #patchmanagement

    @eyalestrin

    17 May 2026

    127 Impressions

    0 Retweets

    0 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  23. Top 5 Trending CVEs: 1 - CVE-2026-42945 2 - CVE-2026-46333 3 - CVE-2020-17103 4 - CVE-2026-41089 5 - CVE-2026-42897 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    17 May 2026

    116 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. またLinux kernelの脆弱性ですか。CVE-2026-46333 ssh-keysign-pwn https://t.co/tRPsEh33tU

    @ssa_noarch

    17 May 2026

    133 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. NVD - CVE-2026-46333 ["ssh-keysign-pwn"] Direct: https://t.co/P915QjZ8fJ https://t.co/rkf0YJZLZP

    @NewMaxxSSD

    16 May 2026

    73 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  26. ช่องโหว่ใหม่ linux มาอีกแล้ววววว cve-2026-46333 เปิดช่องให้ local process อ่านไฟล์อะไรก็ได้ในเครื่อง... ไม่แย่เท่าช่องโหว

    @icez

    16 May 2026

    302 Impressions

    0 Retweets

    1 Like

    2 Bookmarks

    1 Reply

    0 Quotes

  27. ssh-keysign-pwn (CVE-2026-46333): Kernel ptrace Race Leaks Root Secrets https://t.co/FdEHVYAi6U

    @jedisct1

    16 May 2026

    1224 Impressions

    1 Retweet

    9 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  28. CVE-2026-46333 analyse de ssh-keysign-pwn : https://t.co/qQZzrO7kpD

    @cloudappai

    16 May 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  29. Neue Linux Kernel Schwachstelle ssh-keysign-pwn (CVE-2026-46333) https://t.co/N3CYLtTlbV

    @etguenni

    16 May 2026

    253 Impressions

    1 Retweet

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  30. [긴급] 리눅스 커널, ptrace ssh-keysign-pwn 레이스컨디션 취약점(CVE-2026-46333) (출처 : Virus My.. | 블로그) https://t.co/n5sbirlp2p

    @virusmyths

    16 May 2026

    109 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

  1. In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: Fix use-after-free when processing MLD queries When processing an MLD query, a pointer to the multicast group address is retrieved when initially parsing the packet. This pointer is later dereferenced without being reloaded despite the fact that the skb header might have been reallocated following the pskb_may_pull() calls, leading to a use-after-free [1]. Fix by copying the multicast group address when the packet is initially parsed. [1] BUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512) Read of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118 Workqueue: mld mld_query_work Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120) print_address_description.constprop.0 (mm/kasan/report.c:378) print_report (mm/kasan/report.c:482) kasan_report (mm/kasan/report.c:595) __mld_query_work (net/ipv6/mcast.c:1512) mld_query_work (net/ipv6/mcast.c:1563) process_one_work (kernel/workqueue.c:3314) worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478) kthread (kernel/kthread.c:436) ret_from_fork (arch/x86/kernel/process.c:158) ret_from_fork_asm (arch/x86/entry/entry_64.S:245) </TASK> [...] Freed by task 118: kasan_save_stack (mm/kasan/common.c:57) kasan_save_track (mm/kasan/common.c:78) kasan_save_free_info (mm/kasan/generic.c:584) __kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285) kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566) pskb_expand_head (net/core/skbuff.c:2335) __pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4)) __mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1)) mld_query_work (net/ipv6/mcast.c:1563) process_one_work (kernel/workqueue.c:3314) worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478) kthread (kernel/kthread.c:436) ret_from_fork (arch/x86/kernel/process.c:158) ret_from_fork_asm (arch/x86/entry/entry_64.S:245)CVE-2026-53275

References

Sources include official advisories and independent security research.