Security researchers have uncovered a critical vulnerability in the Linux Kernel that has existed for nearly nine years and allows a local user to gain full root access to the system. The issue also opens the way for an escape from Docker containers and other isolated environments.
Cybersecurity researchers recently reported a vulnerability in the Linux Kernel which had remained undiscovered for nearly 9 years.
CVE-2026-46333 (with CVSS score of 5.5) is a Privilege Escalation vulnerability that allows an unprivileged local user to reveal sensitive file information and/or run arbitrary commands as “root” on standard installs of many popular distributions including Debian, Fedora, and Ubuntu. The vulnerability has been codenamed “ssh-keysign-pwn”.
Qualys stated that the vulnerability in question is due to the kernel function “__ptrace_may_access()” and was introduced in November 2016.
“This primitive is robust and will convert any local shell to a path to ‘root’ access or sensitive credential storage”, said Saeed Abbasi Senior Manager, Threat Research at Qualys.
An attacker exploiting this vulnerability can gain access to /etc/shadow and place private keys in /etc/ssh/*_key, while simultaneously gaining ability to run arbitrary commands with elevated privileges (as “root”) through one of four possible exploits against chage, ssh-keysign, pkexec, and accounts-daemon.
This vulnerability came to light after a proof-of-concept (PoC) exploit was publicly disclosed for this vulnerability, approximately a week prior to being officially disclosed; CVE-2026-46333 represents yet another recent vulnerability found within the Linux Kernel. Other vulnerabilities include Copy Fail, Dirty Frag, and Fragnesia from just the past month.
All affected users should apply their Linux Distribution’s most current kernel update. If immediate upgrade is impossible, affected users may employ a workaround until an official fix is available, namely increasing the “kernel.yama.ptrace_scope” variable to 2.”
The exploit is based upon the proof-of-concept (PoC) PinTheft, a local vulnerability that permits attackers to obtain root access on Arch Linux systems. In order to be exploited by this exploit, the target system needs to have all of the required elements; namely: the “reliable datagram sockets” (RDS) module should be loaded; io_ring should be enabled; there should exist a readable SUID-root binary; and the target machine should have x86_64 architecture to run the provided payload.
Zoellick and V12’s Security Team stated:
“The PinTheft exploit takes advantage of a double free in the RDS zerocopy receiving path in order to potentially allow an attacker to overwrite a portion of the page cache using fixed buffers with io_uring.”
In addition, the flaw existed within the RDS zerocopy receive path. The function rds_message_zcopy_from_user() sends user memory pages one-at-a-time. Upon failure of sending a second page of memory (e.g., because of some error), the error handling will delete the previously pinned memory. Afterward, when RDS message cleanup removes the scattered-list entries and record count are still active due to the zerocopy notifier being removed, each failure of zerocopy steals one link from the first memory page.
