- Qualys Discloses CVE‑2026‑46333, a Linux Flaw Present Since 2016 That Allows Unprivileged Users to Briefly Hijack Privileged Processes to Gain Administrator Access
- Exploits have been confirmed on default installations of Debian, Ubuntu and Fedora
- Administrators should apply updates immediately
Qualys security researchers have discovered a major flaw in the Linux operating system that could allow any ordinary user or malicious actor to gain full administrative access to vulnerable endpoints.
This bug has persisted in Linux systems since 2016 and affects default installations of several major distributions, including Red Hat, SUSE, Debian, Fedora, AlmaLinux, CloudLinux and others.
Qualys says attackers could use it to view sensitive files or execute commands with the highest level of system control.
Functional Exploits
The vulnerability is now tracked as CVE-2026-46333 and has a severity score of 5.5/10 (medium). It works by exploiting a narrow window in which a privileged process giving up its credentials remains accessible.
When a program with administrator-level privileges is shutting down, Linux is supposed to immediately prevent other programs from accessing it. CVE-2026-46333 means that the outage occurs a fraction of a second too late, allowing normal, unprivileged users to exploit this small gap.
During this window, the attacker can use a feature to grab a copy of the dying privileged program’s connections and open files before they disappear.
Qualys has built four working exploits demonstrating the practical danger, confirming that they work on default installations of Debian 13, Ubuntu 24.04/26.04, Fedora 43 and Fedora 44.
Researchers reported the flaw privately to the Linux kernel security team on May 11, 2026, and the team returned with a fix three days later on May 14. Shortly after, an independent exploit derived from public validation appeared, effectively breaking the embargo and prompting the release of a full advisory.
Administrators are advised to immediately apply the kernel update upon distribution. Those who cannot apply the patch immediately should increase kernel.yama.ptrace_scope to 2 to block public exploits.
Hosts whose local users were untrusted during exposure windows are advised to treat SSH host keys and locally cached credentials as compromised and rotate them as soon as possible.
Via Hacker news
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
