CVE-2026-46333 Local Root Privilege Escalation and Credentia...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://blog.qualys.com/vulnerabilities-threat-research/2026/05/20/cve-2026-46333-local-root-privilege-escalation-and-credential-disclosure-in-the-linux-kernel-ptrace-path
• Blog Title: CVE-2026-46333: Local Root Privilege Escalation and Credential Disclosure in the Linux Kernel ptrace Path
• Suggested Section: Linux Hardening -> Linux Privilege Escalation -> CVE-2026-46333 ptrace/pidfd_getfd file descriptor theft

🎯 Content Summary

CVE-2026-46333: Linux kernel ptrace authorization logic flaw

Qualys Threat Research Unit disclosed CVE-2026-46333, a local Linux kernel vulnerability in the __ptrace_may_access() permission path. The flaw allows an unprivileged local user to abuse a race condition while a privileged process is exiting or dropping credentials, then steal privileged file descriptors or authenticated IPC channels. The issue has existed in mainline Linux since v4.10-rc1...

🔧 Technical Details

Racing ptrace authorization during privileged process teardown: The core technique is to target a privileged process while it is exiting, dropping credentials, or passing through the do_exit()-related lifetime window. The process should be protected by its dumpable state, but a logic flaw in __ptrace_may_access() can skip the dumpable branch when mm == NULL. Access may then continue to security_ptrace_access_check(task, mode), allowing the decision to fall through to YAMA. In environments with default kernel.yama.ptrace_scope=1, the attack is viable when the attacker is the parent of the privileged SUID child they spawned.

Turning a ptrace check bug into file-descriptor theft with pidfd_getfd(): pidfd_getfd() duplicates a file descriptor from another process after authorizing access with __ptrace_may_access(target, PTRACE_MODE_ATTACH_REALCREDS). If the ptrace p...

🤖 Agent Actions

Done.

Updated

• Created: src/linux-hardening/privilege-escalation/linux-kernel-exploitation/linux-ptrace-exit-race-pidfd_getfd-fd-theft.md
• Updated: src/SUMMARY.md

What I added

A new kernel-privesc technique page focused on the technique, not the CVE itself:

• racing ptrace-style authorization during privileged teardown
• turning that into FD theft with pidfd_getfd()
• abusing stolen FDs for:
  • sensitive file disclosure
  • authenticated D-Bus/systemd channel reuse
• practical YAMA ptrace_scope impact and mitigation
• concise audit/detection ideas

Why a new page

I checked existing Linux privesc/kernel pages and found ptrace/YAMA mentions, but no existing HackTricks page covering this specific primitive: teardown race + pidfd_getfd() + privileged FD/channel theft.

Validation

• Confirmed banner/reference structure and SUMMARY entry
• Reviewed git diff
• Tried mdbook build, but mdbook is not installed in this environment

Sources used

• Qualys blog: https://blog.qualys.com/vulnerabilities-threat-research/2026/05/20/cve-2026-46333-local-root-privilege-escalation-and-credential-disclosure-in-the-linux-kernel-ptrace-path
• Qualys advisory TXT: https://cdn2.qualys.com/advisory/2026/05/20/cve-2026-46333-ptrace.txt
• pidfd_getfd(2): https://man7.org/linux/man-pages/man2/pidfd_getfd.2.html
• Yama docs: https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://blog.qualys.com/vulnerabilities-threat-research/2026/05/20/cve-2026-46333-local-root-privilege-escalation-and-credential-disclosure-in-the-linux-kernel-ptrace-path

Content Categories: Based on the analysis, this content was categorized under "Linux Hardening -> Linux Privilege Escalation -> CVE-2026-46333 ptrace/pidfd_getfd file descriptor theft".

Repository Maintenance:

• MD Files Formatting: 975 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0