- Qualys discloses CVE‑2026‑46333, a Linux flaw present since 2016 which lets unprivileged users briefly hijack privileged processes to gain admin access
- Exploits were confirmed on default installs of Debian, Ubuntu, and Fedora
- Admins should apply updates immediately
Security researchers Qualys discovered a major flaw in the Linux operating system (OS) that could let any ordinary user, or malicious actor, gain full admin access on vulnerable endpoints.
This bug lingered in Linux systems since 2016, and affects the default installations of several major distributions, including Red Hat, SUSE, Debian, Fedora, AlmaLinux, CloudLinux, and others.
Qualys says attackers could use it to view sensitive files or run commands with the highest level of system control.
Working exploits
The vulnerability is now tracked as CVE-2026-46333 and has a severity score of 5.5/10 (medium). It works by exploiting a narrow window in which a privileged process dropping its credentials remains reachable.
When a program with admin-level privileges is in the process of shutting down, Linux is supposed to immediately cut off other programs from peeking into it. CVE-2026-46333 means that cut-off happens a fraction of a second too late, allowing normal, unprivileged users to exploit that tiny gap.
During that window, the attacker can use a feature to grab a copy of the dying privileged program’s open connections and files before they disappear.
Qualys built four working exploits demonstrating the practical danger, confirming they work on default installs of Debian 13, Ubuntu 24.04/26.04, Fedora 43, and Fedora 44.
The researchers reported the flaw privately to the Linux kernel security team on May 11, 2026, and the team came back with a patch three days later, on May 14. Shortly after, an independent exploit derived from the public commit appeared, effectively breaking the embargo and prompting the full advisory release.
Administrators are advised to apply the kernel update from their distribution immediately. Those that cannot patch immediately should raise kernel.yama.ptrace_scope to 2 to block public exploits.
Hosts that had untrusted local users during the exposure windows are advised to treat SSH host keys and locally cached credentials as compromised and should rotate them as soon as possible.
Via The Hacker News
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
Source link
#major #Linux #security #flaw #revealed #nineyear #issue #spell #disaster #users
