Exploitation Summary
EIP tracks 6 public exploits for CVE-2026-46333. PoCs published by Unclecheng-li, fearlessresponsesolution, studiogangster.
AI-analyzed exploit summary The repository contains a README.md file with a template for a vulnerability analysis but lacks any actual exploit code, technical details, or proof-of-concept implementation. It appears to be a placeholder or incomplete analysis.
Description
In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional "drop capabilities" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached "last dumpability" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.
Exploits (6)
The repository contains a README.md file with a template for a vulnerability analysis but lacks any actual exploit code, technical details, or proof-of-concept implementation. It appears to be a placeholder or incomplete analysis.
This repository contains multiple functional exploit PoCs for CVE-2026-46333, a race condition vulnerability allowing file descriptor theft from privileged processes. The exploits target tools like `chage` and `ssh-keysign` to steal sensitive files such as `/etc/shadow` or SSH private keys.
This repository contains a functional Go-based PoC for CVE-2026-46333, which exploits a race condition in Linux systems using `pidfd_*` syscalls to capture file descriptors from a target process. The PoC is designed for controlled testing and includes safety guidelines.
This repository contains two functional exploit PoCs for CVE-2026-46333, targeting a Linux kernel race condition in the process exit path. The exploits use pidfd_getfd to steal file descriptors from privileged processes (e.g., ssh-keysign, chage) to leak sensitive files like /etc/shadow or SSH private keys.
This repository contains a functional exploit PoC that leverages CVE-2026-46333 and CVE-2026-31431 to modify user passwords in /etc/shadow without root privileges. It combines file descriptor theft via pidfd_getfd and CopyFail to overwrite shadow file entries.
This repository contains a functional exploit for CVE-2026-46333, a Linux kernel vulnerability in __ptrace_may_access that allows unprivileged users to steal file descriptors from SUID processes during a race condition in do_exit(). The PoC demonstrates local privilege escalation by dumping /etc/shadow.
References (14)
Scores
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N