Logic bug in the Linux kernel's __ptrace_may_access() function (CVE-2026-46333)

Summary

Qualys Security Advisory Logic bug in the Linux kernel's __ptrace_may_access() function (CVE-2026-46333) ======================================================================== Contents ======================================================================== Summary Analysis Case study: chage Case study: ssh-keysign Case study: pkexec Case study: accounts-daemon Acknowledgments Timeline ======================================================================== Summary ======================================================================== We discovered a logic bug (an authorization bypass) in the Linux kernel's __ptrace_may_access() function. This vulnerability is locally exploitable for information disclosure and arbitrary command execution as root. To the best of our knowledge, it was introduced in November 2016 (v4.10-rc1) by commit bfedb58 ("mm: Add a user_ns owner to mm_struct and fix ptrace permission checks"). We developed four different exploits for this vulnerability (all of them rely on the pidfd_getfd() syscall, which was introduced in January 2020 (v5.6-rc1), but other exploitation methods might exist): - An exploit against chage (a set-uid-root or set-gid-shadow binary), which allows a local attacker to disclose the contents of /etc/shadow (the system's password hashes). We successfully tested this exploit on the default installations of Debian 13, Ubuntu 24.04 and 26.04, Fedora 43 and 44; other distributions may also be exploitable. - An exploit against ssh-keysign (a set-uid-root binary), which allows a local attacker to disclose the host's private keys (/etc/ssh/*_key). We successfully tested this exploit on the default installations of Debian 13, Ubuntu 24.04 and 26.04; other distributions may also be exploitable. - An exploit against pkexec (a set-uid-root binary), which allows a local attacker to execute arbitrary commands as root if the real user of the computer is physically sitting at it (the attacker however can be remotely logged in to the co...