{"uuid": "d6f75376-9703-4512-8749-e6a3c57db5a1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-46333", "type": "seen", "source": "https://gist.github.com/alon710/9c0d20e9d0fe058b907c7e32ba953536", "content": "# CVE-2026-46333: CVE-2026-46333: Local Information Disclosure in Linux Kernel Process Exit Path\n\n> **CVSS Score:** 7.1\n> **Published:** 2026-05-15\n> **Full Report:** https://cvereports.com/reports/CVE-2026-46333\n\n## Summary\nCVE-2026-46333 is a high-severity race condition in the Linux kernel process management subsystem, specifically involving the get_dumpable() logic during process exit. Local attackers can exploit this timing window to hijack file descriptors belonging to privileged SUID/SGID processes, leading to the disclosure of sensitive files such as SSH private keys and shadow password hashes.\n\n## TL;DR\nA race condition in the Linux kernel process exit sequence allows local unprivileged users to steal open file descriptors from SUID processes. By targeting binaries like ssh-keysign, attackers can read root-owned files such as SSH host keys.\n\n## Exploit Status: WEAPONIZED\n\n## Technical Details\n\n- **Vulnerability Class**: Race Condition (CWE-362)\n- **Attack Vector**: Local (AV:L)\n- **CVSS v3.1 Score**: 7.1 (High)\n- **EPSS Score**: 0.01% (0.44th percentile)\n- **Exploit Status**: Weaponized PoC Available\n- **CISA KEV**: Not Listed\n- **Primary Target**: /usr/lib/openssh/ssh-keysign\n\n## Affected Systems\n\n- Linux Kernel\n- Ubuntu\n- Red Hat Enterprise Linux\n- **Linux Kernel Mainline**: < 7.1-rc4 (Fixed in: `7.1-rc4`)\n- **Linux Kernel Stable (6.18.x)**: < 6.18.31 (Fixed in: `6.18.31`)\n- **Ubuntu Linux**: 14.04 - 26.04 (Fixed in: `TBD`)\n\n## Mitigation\n\n- Upgrade the Linux kernel to a version containing commit 93d4ba49d18e3d7fb41a9927c2d0cca5e9dfefd6.\n- Restrict ptrace access globally using the Yama security module.\n- Monitor audit logs for unexpected pidfd_getfd usage or unprivileged ptrace attempts against SUID binaries.\n\n**Remediation Steps:**\n1. Verify the current kernel version using 'uname -r'.\n2. Apply updates via the distribution package manager (e.g., 'apt upgrade linux-image-generic' or 'dnf update kernel').\n3. Reboot the system to load the patched kernel.\n4. If patching is delayed, execute 'sudo sysctl -w kernel.yama.ptrace_scope=2' as a temporary measure.\n5. Persist the workaround by running 'echo \"kernel.yama.ptrace_scope=2\" | sudo tee /etc/sysctl.d/99-ptrace.conf'.\n\n## References\n\n- [NVD Vulnerability Details](https://nvd.nist.gov/vuln/detail/CVE-2026-46333)\n- [Red Hat Advisory RHSB-2026-004](https://access.redhat.com/security/vulnerabilities/RHSB-2026-004)\n- [Ubuntu Security Blog: ssh-keysign-pwn](https://ubuntu.com/blog/ssh-keysign-pwn-linux-vulnerability-fixes-available)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-46333) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-21T04:00:50.000000Z"}