- Qualys discloses CVE-2026-46333, a Linux flaw present since 2016 that lets unprivileged users briefly hijack privileged processes to gain administrator access
- Exploitation was confirmed on standard installations of Debian, Ubuntu and Fedora
- Administrators should apply updates immediately
Security researchers Qualys discovered a major flaw in the Linux operating system (OS) that could let any ordinary user or malicious actor gain full admin access to vulnerable endpoints.
This bug has lingered in Linux systems since 2016 and affects the default installations of several major distributions, including Red Hat, SUSE, Debian, Fedora, AlmaLinux, CloudLinux and others.
Qualys says attackers could use it to view sensitive files or run commands with the highest level of system control.
Work exploits
The vulnerability is now tracked as CVE-2026-46333 and has a severity rating of 5.5/10 (medium). It works by exploiting a narrow window where a privileged process that drops its credentials remains available.
When a program with administrator privileges is in the process of shutting down, Linux is supposed to immediately cut off other programs from looking into it. CVE-2026-46333 means that cut-off occurs a fraction of a second late, allowing normal, unprivileged users to exploit the small hole.
During this window, the attacker can use a function to grab a copy of the dying privileged program’s open connections and files before they disappear.
Qualys built four working exploits demonstrating the practical danger and confirmed that they work on standard installations of Debian 13, Ubuntu 24.04/26.04, Fedora 43 and Fedora 44.
The researchers reported the bug privately to the Linux kernel security team on May 11, 2026, and the team came back with a patch three days later, on May 14. Soon after, an independent exploit derived from the public obligation surfaced, effectively breaking the embargo and requesting the full advisory release.
Administrators are advised to apply the kernel update from their distribution immediately. Those who cannot patch immediately should raise kernel.yama.ptrace_scope to 2 to block public exploits.
Hosts that had untrusted local users during the exposure windows are advised to treat SSH host keys and locally cached credentials as compromised and should rotate them as soon as possible.
Via Hacker News
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
