CVE-2026-46333

HIGH

ptrace: slightly saner 'get_dumpable()' logic

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 8 public exploits for CVE-2026-46333. PoCs published by Unclecheng-li, st4rburn, fearlessresponsesolution, including Metasploit module post/linux/gather/cve_2026_46333_chage.

AI-analyzed exploit summary The repository contains a README.md file with a template for a vulnerability analysis but lacks any actual exploit code, technical details, or proof-of-concept implementation. It appears to be a placeholder or incomplete analysis.

Description

In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional "drop capabilities" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached "last dumpability" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.

Exploits (8)

github STUB 2 stars
by Unclecheng-li · cpoc
https://github.com/Unclecheng-li/poc-lab/tree/main/CVE-2026-46333 SSH Keysign pwn

The repository contains a README.md file with a template for a vulnerability analysis but lacks any actual exploit code, technical details, or proof-of-concept implementation. It appears to be a placeholder or incomplete analysis.

Classification
Stub 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: Linux (unspecified version)
No auth needed
Prerequisites: none specified
mistral-large-3 · analyzed May 21, 2026 Full analysis →
nomisec WORKING POC 1 stars
by st4rburn · poc
https://github.com/st4rburn/public-passwd

This exploit combines CVE-2026-46333 (file descriptor theft via `pidfd_getfd` from `chage`) and CVE-2026-31431 (CopyFail, a 4-byte arbitrary write via AF_ALG socket manipulation) to modify `/etc/shadow` and change user passwords without root privileges. The PoC reads the shadow file, extracts password hashes, and overwrites them in-place using CopyFail's page cache corruption.

Classification
Working Poc 98%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Racy
Target: Linux kernel (vulnerable to CVE-2026-46333 and CVE-2026-31431), `chage` utility
Auth required
Prerequisites: Local user access on a system vulnerable to both CVEs · Python with ctypes and standard library access · `chage` utility installed and SUID · Kernel support for `pidfd_getfd` and AF_ALG sockets
mistral-large-3 · analyzed Jul 04, 2026 Full analysis →
github WORKING POC
by fearlessresponsesolution · tsqlpoc
https://github.com/fearlessresponsesolution/cve-pocs/tree/master/pocs/CVE-2026-46333

This repository contains multiple functional exploit PoCs for CVE-2026-46333, a race condition vulnerability allowing file descriptor theft from privileged processes. The exploits target tools like `chage` and `ssh-keysign` to steal sensitive files such as `/etc/shadow` or SSH private keys.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Linux kernel (specific version not specified)
No auth needed
Prerequisites: Access to a vulnerable Linux system · Presence of SUID binaries like `chage` or `ssh-keysign`
mistral-large-3 · analyzed May 21, 2026 Full analysis →
github WORKING POC
by studiogangster · gopoc
https://github.com/studiogangster/CVE-2026-46333

This repository contains a functional Go-based PoC for CVE-2026-46333, which exploits a race condition in Linux systems using `pidfd_*` syscalls to capture file descriptors from a target process. The PoC is designed for controlled testing and includes safety guidelines.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Racy
Target: Linux kernel (specific version not specified)
No auth needed
Prerequisites: Linux environment · target binary with vulnerable file descriptors
mistral-large-3 · analyzed May 17, 2026 Full analysis →
github WORKING POC
by 0xBlackash · cpoc
https://github.com/0xBlackash/CVE-2026-46333

This repository contains two functional exploit PoCs for CVE-2026-46333, targeting a Linux kernel race condition in the process exit path. The exploits use pidfd_getfd to steal file descriptors from privileged processes (e.g., ssh-keysign, chage) to leak sensitive files like /etc/shadow or SSH private keys.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel ≤6.15
No auth needed
Prerequisites: Linux kernel ≤6.15 · presence of SUID binaries like ssh-keysign or chage
mistral-large-3 · analyzed May 17, 2026 Full analysis →
nomisec WORKING POC
by Aurillium · poc
https://github.com/Aurillium/public-passwd

This repository contains a functional exploit PoC that leverages CVE-2026-46333 and CVE-2026-31431 to modify user passwords in /etc/shadow without root privileges. It combines file descriptor theft via pidfd_getfd and CopyFail to overwrite shadow file entries.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux systems with vulnerable kernel (CVE-2026-46333 and CVE-2026-31431)
Auth required
Prerequisites: User must have permission to execute chage · System must be vulnerable to both CVE-2026-46333 and CVE-2026-31431
mistral-large-3 · analyzed May 17, 2026 Full analysis →
github WORKING POC
by KaraZajac · cpoc
https://github.com/KaraZajac/CHARON

This repository contains a functional exploit for CVE-2026-46333, a Linux kernel vulnerability in __ptrace_may_access that allows unprivileged users to steal file descriptors from SUID processes during a race condition in do_exit(). The PoC demonstrates local privilege escalation by dumping /etc/shadow.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Linux kernel <= 6.12.89
No auth needed
Prerequisites: Unprivileged user access · SUID binary that opens target file (e.g., /usr/bin/chage) · Vulnerable kernel version
mistral-large-3 · analyzed May 16, 2026 Full analysis →
metasploit WORKING POC
by 0xdeadbeefnetwork, bhaskarbhar · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/post/linux/gather/cve_2026_46333_chage.rb

This Metasploit module exploits a race condition in the Linux kernel's __ptrace_may_access() function during process termination, allowing disclosure of /etc/shadow via the chage SUID binary. The exploit uses pidfd_getfd() to access privileged file descriptors after task->mm becomes NULL.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Complex
Reliability
Racy
Target: Linux Kernel versions 5.6.0 to 6.15.0
No auth needed
Prerequisites: gcc compiler · writable directory · chage binary with SUID/SGID permissions
mistral-large-3 · analyzed Jun 16, 2026 Full analysis →

References (40)

Core 40
Core References

Scores

CVSS v3 7.1
EPSS 0.0138
EPSS Percentile 68.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-269
Status published
Products (44)
debian/debian_linux 11.0
linux/Kernel 4.10.0 - 5.10.256linux
linux/Kernel 5.11.0 - 5.15.207linux
linux/Kernel 5.16.0 - 6.1.173linux
linux/Kernel 6.13.0 - 6.18.31linux
linux/Kernel 6.19.0 - 7.0.8linux
linux/Kernel 6.2.0 - 6.6.139linux
linux/Kernel 6.7.0 - 6.12.89linux
Linux/Linux < 4.10
Linux/Linux 03eed7afbc09e061f66b448daf7863174c3dc3f3
... and 34 more
Published May 15, 2026
Tracked Since May 15, 2026