A nine-year-old logic flaw in the Linux kernel’s process trace (ptrace) path has been discovered that could let unprivileged local users read sensitive files, including secure shell host (SSH) private keys and the system password hash, on default installations of Debian, Fedora and Ubuntu.
According to new analysis from the Qualys Threat Research Unit (TRU), the vulnerability, tracked as CVE-2026-46333, has been present in mainline Linux since November 2016. Upstream patches and distribution updates are available, and working exploits are circulating publicly.
The flaw is the fourth Linux kernel local security issue disclosed in three weeks, following Copy Fail, Dirty Frag and Fragnesia.
A Race in the Credential Drop
The bug sits in the kernel’s __ptrace_may_access() function. Qualys identified a narrow window in which a privileged process that is dropping its credentials remains reachable through ptrace operations, even though its dumpable flag should have closed that path.
By pairing this window with the pidfd_getfd() syscall, an attacker can capture file descriptors from a setuid binary mid-exit and inherit its access to the underlying files. pidfd_getfd() was added to the kernel in January 2020, which broadened the practical reach of the older flaw.
The proof-of-concept (PoC) developed by Qualys targets ssh-keysign, a setuid binary that briefly holds SSH host private keys open during authentication signing. A second variant targets chage, stealing the open handle to /etc/shadow and exposing every user’s password hash on the host.
Read more on Linux kernel LPE flaws: New Fragnesia Flaw Hands Linux Local Users Root Access
The Qualys TRU also developed working exploits against pkexec and accounts-daemon, withholding all four publicly during the coordinated disclosure window.
Saeed Abbasi, senior manager at the Qualys TRU, said the technique “turns any local shell into a path to root or to sensitive credential material.”
Impact, Risk Profile and Mitigation
The four exploits Qualys developed span a range of impacts. The chage and ssh-keysign exploits yield information disclosure, while pkexec and accounts-daemon let the attacker execute arbitrary commands as root.
CVSS rated the bug 5.5, but Qualys argued the distinction between an unprivileged foothold and full host compromise collapses in practice, because the disclosed files alone are enough to take over the system.
The risk profile is sharpest in environments where unprivileged shells are routinely available to untrusted parties, including shared hosting and multi-tenant CI runners.
Administrators should apply the vendor kernel update for their distribution without delay. As an interim mitigation, Ubuntu and Qualys both recommend raising kernel.yama.ptrace_scope to 2 via sysctl, which gates ptrace attachment behind CAP_SYS_PTRACE and blocks the public exploit path at the cost of breaking unprivileged debugging workflows.
