- Qualys discloses CVE-2026-46333, a Linux flaw present since 2016 that allows unprivileged users to briefly hijack privileged processes to gain administrator access.
- Exploits confirmed in default installations of Debian, Ubuntu and Fedora
- Administrators must apply updates immediately
Security researchers Qualys discovered a major flaw in the Linux operating system (OS) that could allow any ordinary user or malicious actor to gain full administrator access on vulnerable endpoints.
This bug has persisted on Linux systems since 2016 and affects default installations of several major distributions, including Red Hat, SUSE, Debian, Fedora, AlmaLinux, CloudLinux, and others.
Qualys says attackers could use it to view sensitive files or execute commands with the highest level of system control.
Work feats
The vulnerability is now tracked as CVE-2026-46333 and has a severity score of 5.5/10 (medium). It works by taking advantage of a narrow window in which a privileged process that loses its credentials is still accessible.
When a program with administrator-level privileges is in the process of closing, Linux is supposed to immediately prevent other programs from looking at it. CVE-2026-46333 means that the hack occurs a fraction of a second too late, allowing normal and unprivileged users to exploit that small gap.
During that window, the attacker can use a function to obtain a copy of the dying privileged program's open connections and files before they disappear.
Qualys created four working exploits that demonstrate the practical danger and confirm that they work on default installations of Debian 13, Ubuntu 24.04/26.04, Fedora 43, and Fedora 44.
Researchers reported the flaw privately to the Linux kernel security team on May 11, 2026, and the team returned with a patch three days later on May 14. Shortly after, a separate exploit derived from the public compromise appeared, effectively breaking the embargo and causing the full advisory to be published.
Administrators are recommended to apply the kernel update from their distribution immediately. Those who cannot patch immediately should increase kernel.yama.ptrace_scope to 2 to block public exploits.
Hosts that had untrusted local users during exposure periods are advised to treat SSH host keys and locally cached credentials as compromised and should rotate them as soon as possible.
Through Hacker News
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
