CVE-2026-46333
published 2026-05-15CVE-2026-46333: In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally…
PriorityP343high7.1CVSS 3.1
AVLACLPRLUINSUCHIHAN
EXPLOIT
EPSS
1.24%
65.5th percentile
In the Linux kernel, the following vulnerability has been resolved:
ptrace: slightly saner 'get_dumpable()' logic
The 'dumpability' of a task is fundamentally about the memory image of
the task - the concept comes from whether it can core dump or not - and
makes no sense when you don't have an associated mm.
And almost all users do in fact use it only for the case where the task
has a mm pointer.
But we have one odd special case: ptrace_may_access() uses 'dumpable' to
check various other things entirely independently of the MM (typically
explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for
threads that no longer have a VM (and maybe never did, like most kernel
threads).
It's not what this flag was designed for, but it is what it is.
The ptrace code does check that the uid/gid matches, so you do have to
be uid-0 to see kernel thread details, but this means that the
traditional "drop capabilities" model doesn't make any difference for
this all.
Make it all make a *bit* more sense by saying that if you don't have a
MM pointer, we'll use a cached "last dumpability" flag if the thread
ever had a MM (it will be zero for kernel threads since it is never
set), and require a proper CAP_SYS_PTRACE capability to override.
Affected
77 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| linux | linux | — | — |
| linux | linux | — | — |
| linux | linux | — | — |
| linux | linux | — | — |
| linux | linux | — | — |
| linux | linux | >= 3.16.52 < 3.17 | 3.17 |
| linux | linux | >= 4.4.40 < 4.5 | 4.5 |
| linux | linux | >= 4.8.16 < 4.9 | 4.9 |
| linux | linux | >= 4.9.1 < 4.10 | 4.10 |
| linux | linux | >= bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 < 93d4ba49d18e3d7fb41a9927c2d0cca5e9dfefd6 | 93d4ba49d18e3d7fb41a9927c2d0cca5e9dfefd6 |
| linux | linux | >= bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 < 15b828a46f305ae9f05a7c16914b3ce273474205 | 15b828a46f305ae9f05a7c16914b3ce273474205 |
| linux | linux | >= bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 < 4709234fd1b95136ceb789f639b1e7ea5de1b181 | 4709234fd1b95136ceb789f639b1e7ea5de1b181 |
| linux | linux | >= bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 < 8f907d345bae8f4b3f004c5abc56bf2dfb851ea7 | 8f907d345bae8f4b3f004c5abc56bf2dfb851ea7 |
| linux | linux | >= bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 < 6e5b51e74a40d377bcd3081dd33fbaa0e1aa7e3d | 6e5b51e74a40d377bcd3081dd33fbaa0e1aa7e3d |
| linux | linux | >= bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 < 2a93a4fac7b6051d3be7cd1b015fe7320cd0404d | 2a93a4fac7b6051d3be7cd1b015fe7320cd0404d |
| linux | linux | >= bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 < 01363cb3fbd0238ffdeb09f53e9039c9edf8a730 | 01363cb3fbd0238ffdeb09f53e9039c9edf8a730 |
| linux | linux | >= bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 < 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a | 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 3.16.52 < 3.17 | 3.17 |
| linux | linux_kernel | >= 4.4.40 < 4.5 | 4.5 |
| linux | linux_kernel | >= 4.8.16 < 4.9 | 4.9 |
CVSS provenance
nvdv3.17.1HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vendor_ubuntu8.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Linux kernel (Azure) vulnerabilities
vendor_ubuntu·2026-06-22·CVSS 8.8
CVE-2026-43284 [HIGH] Linux kernel (Azure) vulnerabilities
Title: Linux kernel (Azure) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500, CVE-2026-45998, CVE-2026-46000)
It was discovered that a logic flaw existed in the XFRM ESP-in-TCP
subsystem in the Linux kernel when handling socket buffer fragments. This
flaw is known as Fragnesia. A local attacker could use this to escalate
privileges, or possibly escape a container.
Ubuntu
Linux kernel (Oracle) vulnerabilities
vendor_ubuntu·2026-06-22·CVSS 7.8
CVE-2026-43284 [HIGH] Linux kernel (Oracle) vulnerabilities
Title: Linux kernel (Oracle) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel algif_aead module did not properly
handle in-place cryptographic operations. This flaw is known as Copy Fail.
A local attacker could use this to escalate privileges, or possibly escape
a container. (CVE-2026-31431)
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500)
It was discovered that a logic f
Ubuntu
Linux kernel (Azure) vulnerabilities
vendor_ubuntu·2026-06-16·CVSS 7.8
CVE-2026-43503 [HIGH] Linux kernel (Azure) vulnerabilities
Title: Linux kernel (Azure) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel algif_aead module did not properly
handle in-place cryptographic operations. This flaw is known as Copy Fail.
A local attacker could use this to escalate privileges, or possibly escape
a container. (CVE-2026-31431)
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500)
It was discovered that a logic fl
Ubuntu
Linux kernel (Azure) vulnerabilities
vendor_ubuntu·2026-06-16·CVSS 6.4
CVE-2026-23262 [MEDIUM] Linux kernel (Azure) vulnerabilities
Title: Linux kernel (Azure) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Josh Eads, Kristoffer Janke, Eduardo Vela Nava, Tavis Ormandy, and Matteo
Rizzo discovered that some AMD Zen processors did not properly verify the
signature of CPU microcode. This flaw is known as EntrySign. A privileged
attacker could possibly use this issue to cause load malicious CPU
microcode causing loss of integrity and confidentiality. (CVE-2024-36347)
It was discovered that the Linux kernel algif_aead module did not properly
handle in-place cryptographic operations. This flaw is known as Copy Fail.
A local attacker could use this to escalate privileges, or possibly escape
a container. (CVE-2026-31431)
It was discovered that the Linux kernel did not properly handle share
Ubuntu
Linux kernel (Azure) vulnerabilities
vendor_ubuntu·2026-06-11·CVSS 7.8
CVE-2026-46333 [HIGH] Linux kernel (Azure) vulnerabilities
Title: Linux kernel (Azure) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel algif_aead module did not properly
handle in-place cryptographic operations. This flaw is known as Copy Fail.
A local attacker could use this to escalate privileges, or possibly escape
a container. (CVE-2026-31431)
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500)
It was discovered that a logic fl
Ubuntu
Linux kernel (Azure FIPS) vulnerabilities
vendor_ubuntu·2026-06-04·CVSS 7.8
CVE-2026-23069 [HIGH] Linux kernel (Azure FIPS) vulnerabilities
Title: Linux kernel (Azure FIPS) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel algif_aead module did not properly
handle in-place cryptographic operations. This flaw is known as Copy Fail.
A local attacker could use this to escalate privileges, or possibly escape
a container. (CVE-2026-31431)
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500, CVE-2026-45998, CVE-2026-4600
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2026-06-04·CVSS 8.8
CVE-2026-43284 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500)
It was discovered that a logic flaw existed in the XFRM ESP-in-TCP
subsystem in the Linux kernel when handling socket buffer fragments. This
flaw is known as Fragnesia. A local attacker could use this to escalate
privileges, or possibly escape a container. (CVE-2026-43503,
CVE-2026-46300)
Qualys
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2026-06-02·CVSS 8.8
CVE-2026-47333 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500, CVE-2026-45998, CVE-2026-46000)
It was discovered that a logic flaw existed in the XFRM ESP-in-TCP
subsystem in the Linux kernel when handling socket buffer fragments. This
flaw is known as Fragnesia. A local attacker could use this to escalate
privileges, or possibly escape a container. (CVE-202
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2026-06-02·CVSS 8.8
CVE-2026-47333 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500, CVE-2026-45998, CVE-2026-46000)
It was discovered that a logic flaw existed in the XFRM ESP-in-TCP
subsystem in the Linux kernel when handling socket buffer fragments. This
flaw is known as Fragnesia. A local attacker could use this to escalate
privileges, or possibly escape a container. (CVE-202
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2026-06-02·CVSS 7.8
CVE-2025-71134 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel algif_aead module did not properly
handle in-place cryptographic operations. This flaw is known as Copy Fail.
A local attacker could use this to escalate privileges, or possibly escape
a container. (CVE-2026-31431)
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500, CVE-2026-45998, CVE-2026-46000)
It was di
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2026-06-02·CVSS 8.8
CVE-2026-46300 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500, CVE-2026-45998, CVE-2026-46000)
It was discovered that a logic flaw existed in the XFRM ESP-in-TCP
subsystem in the Linux kernel when handling socket buffer fragments. This
flaw is known as Fragnesia. A local attacker could use this to escalate
privileges, or possibly escape a container. (CVE-202
Red Hat
kernel: Read root-owned files as an unprivileged user
vendor_redhat·2026-05-15·CVSS 7.8
CVE-2026-46333 [HIGH] CWE-269 kernel: Read root-owned files as an unprivileged user
kernel: Read root-owned files as an unprivileged user
A vulnerability was found in the Linux kernel that allows an unprivileged local user to read sensitive files normally restricted to the root user. The flaw occurs during process exit, where a brief window allows an attacker to intercept file access from a privileged process before it fully terminates. Successful exploitation may lead to the disclosure of sensitive data such as SSH host private keys or /etc/shadow contents.
Statement: This is an Important flaw in the Linux kernel that allows a local unprivileged attacker to read root-owned files. The vulnerability arises from a race condition during process termination, enabling a brief window where sensitive data, such as SSH host private keys or /etc/shadow contents, can be disclosed
GHSA
GHSA-pm8f-4p6p-6x53: In the Linux kernel, the following vulnerability has been resolved:
ptrace: slightly saner 'get_dumpable()' logic
The 'dumpability' of a task is fun
ghsa_unreviewed·2026-05-15
CVE-2026-46333 GHSA-pm8f-4p6p-6x53: In the Linux kernel, the following vulnerability has been resolved:
ptrace: slightly saner 'get_dumpable()' logic
The 'dumpability' of a task is fun
In the Linux kernel, the following vulnerability has been resolved:
ptrace: slightly saner 'get_dumpable()' logic
The 'dumpability' of a task is fundamentally about the memory image of
the task - the concept comes from whether it can core dump or not - and
makes no sense when you don't have an associated mm.
And almost all users do in fact use it only for the case where the task
has a mm pointer.
But we have one odd special case: ptrace_may_access() uses 'dumpable' to
check various other things entirely independently of the MM (typically
explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for
threads that no longer have a VM (and maybe never did, like most kernel
threads).
It's not what this flag was designed for, but it is what it is.
The ptrace code does check that the
VulDB
Linux Kernel up to 7.0.7 ptrace get_dumpable privilege escalation (EUVD-2026-30540)
vuldb·2026-05-15
CVE-2026-46333 [LOW] Linux Kernel up to 7.0.7 ptrace get_dumpable privilege escalation (EUVD-2026-30540)
A vulnerability identified as problematic has been detected in Linux Kernel up to 7.0.7. Affected by this vulnerability is the function get_dumpable of the component ptrace. This manipulation causes privilege escalation.
This vulnerability is tracked as CVE-2026-46333. The attack is only possible within the local network. No exploit exists.
No detection rules found.
Rapid7
Weekly Metasploit Update: NTLM Relay Priv Esc, MCP Server Integration, Paperclip AI RCE Chain, and more
blogs_rapid7·2026-06-19·CVSS 8.6
CVE-2026-41679 [HIGH] Weekly Metasploit Update: NTLM Relay Priv Esc, MCP Server Integration, Paperclip AI RCE Chain, and more
This week's release includes five new modules, including a full unauthenticated RCE chain for Paperclip AI and a VS Code extension persistence technique. On the post-exploitation side, the new windows/local/ntlm_relay_2_self module coerces the local machine account to authenticate via OpenEncryptedFileRaw (WebDAV), relays that NTLM authentication to a Domain Controller's LDAP service, then uses the resulting LDAP session to write Shadow Credentials and obtain a Kerberos service ticket as Administrator via S4U2Proxy, enabling PsExec back to itself for SYSTEM access.
On the enhancement side, the new MCP server plugin lets AI tools assist operators directly within a running msfconsole instance, and module check codes now return richer detail for users.
## New module content (5)
## Papercli
Hackernews
⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
blogs_hackernews·2026-05-25
CVE-2026-46333 ⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
Monday recap. Same mess, new week.
A sketchy dev tool got people pwned, old bugs came back from the dead, and security products somehow needed protecting from themselves. A bunch of companies spent the week checking old boxes and forgotten servers they should've patched years ago. Good times.
Phishing crews are getting smarter too - less obvious scam junk, more targeted stuff that actually looks real. Meanwhile, botnets are grabbing anything exposed to the internet like it's free candy. The Internet's still a dumpster fire.
Let’s get into
Hackernews
9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros
blogs_hackernews·2026-05-21·CVSS 7.1
CVE-2026-46333 [HIGH] 9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## 9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros
Cybersecurity researchers have disclosed details of a vulnerability in the Linux kernel that remained undetected for nine years.
The vulnerability, tracked as CVE-2026-46333 (CVSS score: 5.5), is a case of improper privilege management that could permit an unprivileged local user to disclose sensitive files and execute arbitrary commands as root on default installations of several major distributions like Debian, Fedora, and Ubuntu. It's also codenamed ssh-keysign-pwn.
According to Qualys, which discovered the flaw, the problem is rooted in the ker
Qualys
CVE-2026-46333: Local Root Privilege Escalation and Credential Disclosure in the Linux Kernel ptrace Path
blogs_qualys·2026-05-20·CVSS 7.1
CVE-2026-46333 [HIGH] CVE-2026-46333: Local Root Privilege Escalation and Credential Disclosure in the Linux Kernel ptrace Path
## Table of Contents
What Was Found
Understanding the Potential Impact, Severity, and Scope
Coordinated Disclosure and Why We Are Publishing Now
Immediate Action
Technical Details of the CVE-2026-46333:
Acknowledgments
Qualys QID Coverage for Detecting CVE-2026-46333:
CVE-2026-46333 mitigant information:
The Qualys Threat Research Unit (TRU) has discovered and published the full advisory for CVE-2026-46333, a logic flaw in the Linux kernel’s __ptrace_may_access() function that permits an unprivileged local user to disclose sensitive files and execute arbitrary commands as root on default installations of several major distributions. The bug has resided in mainline Linux since November 2016 (v4.10-rc1). Upstream patches and distribution updates are already available. Working exploi
Hackernews
DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability
blogs_hackernews·2026-05-19·CVSS 7.5
CVE-2026-31635 [HIGH] DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability
Proof-of-concept (PoC) exploit code has now been released for a recently patched security flaw in the Linux kernel that could allow for local privilege escalation (LPE).
Dubbed DirtyDecrypt (aka DirtyCBC), the vulnerability was discovered and reported by the Zellic and V12 security team on May 9, 2026, only to be informed by the maintainers that it was a duplicate of a vulnerability that had already been patched in the mainline.
"It's a rxgk pagecache write due to missing COW [copy-on-write] guard in rxgk_decrypt_skb," Zellic co-founder Luna Tong (a
Hackernews
⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
blogs_hackernews·2026-05-18·CVSS 6.1
CVE-2026-42897 [MEDIUM] ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
Monday opens with a trust problem. A mail server flaw is under active use. A network control system was targeted. Trusted packages were poisoned. A fake model page pushed a stealer. Then came the familiar ransom claim: the data was returned and deleted.
The pattern is clear. One weak dependency can leak keys. One leaked key can open cloud access. One cloud foothold can become a production incident. AI is speeding up vulnerability discovery, attackers are moving quickly, and old exposure still keeps paying off.
Patch the quiet risks first. Let’s g
Bugzilla
CVE-2026-46333 kernel: Read root-owned files as an unprivileged user
bugzilla·2026-05-15
CVE-2026-46333 [HIGH] CVE-2026-46333 kernel: Read root-owned files as an unprivileged user
CVE-2026-46333 kernel: Read root-owned files as an unprivileged user
Read root-owned files as an unprivileged user. Pre-31e62c2ebbfd kernels (everything in stable as of 2026-05-14).
The bug
__ptrace_may_access() skips the dumpable check when task->mm == NULL. do_exit() runs exit_mm() before exit_files() — no mm, fds still there. pidfd_getfd(2) succeeds in that window when the caller's uid matches the target's.
Reported by Qualys, fixed by Linus 2026-05-14. Jann Horn flagged the FD-theft shape in October 2020. Six years.
https://git.kernel.org/stable/c/01363cb3fbd0238ffdeb09f53e9039c9edf8a730https://git.kernel.org/stable/c/15b828a46f305ae9f05a7c16914b3ce273474205https://git.kernel.org/stable/c/2a93a4fac7b6051d3be7cd1b015fe7320cd0404dhttps://git.kernel.org/stable/c/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3ahttps://git.kernel.org/stable/c/4709234fd1b95136ceb789f639b1e7ea5de1b181https://git.kernel.org/stable/c/6e5b51e74a40d377bcd3081dd33fbaa0e1aa7e3dhttps://git.kernel.org/stable/c/8f907d345bae8f4b3f004c5abc56bf2dfb851ea7https://git.kernel.org/stable/c/93d4ba49d18e3d7fb41a9927c2d0cca5e9dfefd6http://www.openwall.com/lists/oss-security/2026/05/15/9http://www.openwall.com/lists/oss-security/2026/05/20/14http://www.openwall.com/lists/oss-security/2026/05/20/16https://lists.debian.org/debian-lts-announce/2026/05/msg00032.htmlhttps://lists.debian.org/debian-lts-announce/2026/05/msg00035.htmlhttps://access.redhat.com/errata/RHSA-2026:19521https://access.redhat.com/errata/RHSA-2026:19540https://access.redhat.com/errata/RHSA-2026:19568https://access.redhat.com/errata/RHSA-2026:19569https://access.redhat.com/errata/RHSA-2026:19664https://access.redhat.com/errata/RHSA-2026:19666https://access.redhat.com/errata/RHSA-2026:19705https://access.redhat.com/errata/RHSA-2026:19711https://access.redhat.com/errata/RHSA-2026:19875https://access.redhat.com/errata/RHSA-2026:20051https://access.redhat.com/errata/RHSA-2026:20054https://access.redhat.com/errata/RHSA-2026:20129https://access.redhat.com/errata/RHSA-2026:20130https://access.redhat.com/errata/RHSA-2026:20299https://access.redhat.com/errata/RHSA-2026:20593https://access.redhat.com/errata/RHSA-2026:21701https://access.redhat.com/errata/RHSA-2026:21702https://access.redhat.com/errata/RHSA-2026:23468https://access.redhat.com/errata/RHSA-2026:23469https://access.redhat.com/errata/RHSA-2026:23470https://access.redhat.com/errata/RHSA-2026:23471https://access.redhat.com/errata/RHSA-2026:24814https://access.redhat.com/security/cve/CVE-2026-46333https://bugzilla.redhat.com/show_bug.cgi?id=2477802https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn/https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46333.json
2026-05-15
Published