7.1 CVE-2026-46333

Enriched by CISA Privilege Escalation Exploit

In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional "drop capabilities" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached "last dumpability" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.
https://nvd.nist.gov/vuln/detail/CVE-2026-46333

Categories

CWE-269 : Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. Follow the principle of least privilege when assigning access rights to entities in a software system. Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource. Terminal privileges are not reset when a user logs out. Does not properly pass security context to child processes in certain cases, allows privilege escalation. Does not properly compute roles. untrusted user placed in unix "wheel" group Product allows users to grant themselves certain rights that can be used to escalate privileges. Product uses group ID of a user instead of the group, causing it to run with different privileges. This is resultant from some other unknown issue. Product mistakenly assigns a particular status to an entity, leading to increased privileges. FTP client program on a certain OS runs with setuid privileges and has a buffer overflow. Most clients do not need extra privileges, so an overflow is not a vulnerability for those clients. OS incorrectly installs a program with setuid privileges, allowing users to gain privileges. Composite: application running with high privileges (CWE-250) allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file (CWE-209). Installation script installs some programs as setuid when they shouldn't be. Roles have access to dangerous procedures (Accessible entities). Untrusted object/method gets access to clipboard (Accessible entities). Traceroute program allows unprivileged users to modify source address of packet (Accessible entities). User with capability can prevent setuid program from dropping privileges (Unsafe privileged actions).

References

134c704f-9b21-4f2e-91b3-4a467353bcc0

https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn/

416baaa9-dc9f-4396-8d5f-8c081fb06d67

https://git.kernel.org/stable/c/01363cb3fbd0238ffdeb09f53e9039c9edf8a730
https://git.kernel.org/stable/c/15b828a46f305ae9f05a7c16914b3ce273474205
https://git.kernel.org/stable/c/2a93a4fac7b6051d3be7cd1b015fe7320cd0404d
https://git.kernel.org/stable/c/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a
https://git.kernel.org/stable/c/4709234fd1b95136ceb789f639b1e7ea5de1b181
https://git.kernel.org/stable/c/6e5b51e74a40d377bcd3081dd33fbaa0e1aa7e3d
https://git.kernel.org/stable/c/8f907d345bae8f4b3f004c5abc56bf2dfb851ea7
https://git.kernel.org/stable/c/93d4ba49d18e3d7fb41a9927c2d0cca5e9dfefd6

af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2026/05/15/9
http://www.openwall.com/lists/oss-security/2026/05/20/14
http://www.openwall.com/lists/oss-security/2026/05/20/16
https://lists.debian.org/debian-lts-announce/2026/05/msg00032.html
https://lists.debian.org/debian-lts-announce/2026/05/msg00035.html

AFFECTED (from MITRE)

Vendor	Product	Versions
Linux	Linux	bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 < 93d4ba49d18e3d7fb41a9927c2d0cca5e9dfefd6 [affected] bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 < 15b828a46f305ae9f05a7c16914b3ce273474205 [affected] bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 < 4709234fd1b95136ceb789f639b1e7ea5de1b181 [affected] bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 < 8f907d345bae8f4b3f004c5abc56bf2dfb851ea7 [affected] bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 < 6e5b51e74a40d377bcd3081dd33fbaa0e1aa7e3d [affected] bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 < 2a93a4fac7b6051d3be7cd1b015fe7320cd0404d [affected] bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 < 01363cb3fbd0238ffdeb09f53e9039c9edf8a730 [affected] bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 < 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a [affected] d5b3e840dbf6dd2c0f30b5982b6f5ecd49e46b12 [affected] 03eed7afbc09e061f66b448daf7863174c3dc3f3 [affected] e45692fa1aea06676449b63ef3c2b6e1e72b7578 [affected] 694a95fa6dae4991f16cda333d897ea063021fed [affected]
Linux	Linux	4.10 [affected] < 4.10 [unaffected] 5.10.256 ≤ 5.10.* [unaffected] 5.15.207 ≤ 5.15.* [unaffected] 6.1.173 ≤ 6.1.* [unaffected] 6.6.139 ≤ 6.6.* [unaffected] 6.12.89 ≤ 6.12.* [unaffected] 6.18.31 ≤ 6.18.* [unaffected] 7.0.8 ≤ 7.0.* [unaffected] 7.1-rc4 ≤ * [unaffected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe	start	end
Configuration 1
cpe:2.3:o:linux:linux_kernel::::::::	>= 4.10	< 5.10.256
cpe:2.3:o:linux:linux_kernel::::::::	>= 4.10	< 5.15.207
cpe:2.3:o:linux:linux_kernel::::::::	>= 4.10	< 6.1.173
cpe:2.3:o:linux:linux_kernel::::::::	>= 4.10	< 6.6.139
cpe:2.3:o:linux:linux_kernel::::::::	>= 4.10	< 6.12.89
cpe:2.3:o:linux:linux_kernel::::::::	>= 4.10	< 6.18.31
cpe:2.3:o:linux:linux_kernel::::::::	>= 4.10	< 7.0.8
cpe:2.3:o:linux:linux_kernel::::::::	>= 4.10	< 7.1-rc4
cpe:2.3:o:linux:linux_kernel::::::::	>= 3.16.52
cpe:2.3:o:linux:linux_kernel::::::::	>= 4.4.40
cpe:2.3:o:linux:linux_kernel::::::::	>= 4.8.16
cpe:2.3:o:linux:linux_kernel::::::::	>= 4.9.1

REMEDIATION

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
https://github.com/KaraZajac/CHARON
https://github.com/0xBlackash/CVE-2026-46333

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
122	Privilege Abuse An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.	Medium
233	Privilege Escalation An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.
58	Restful Privilege Elevation An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.	High

MITRE

Techniques

id	description
T1548	Abuse Elevation Control Mechanism
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Mitigations

id	description
M1018	Limit the privileges of cloud accounts to assume, create, or impersonate additional roles, policies, and permissions to only those required. Where just-in-time access is enabled, consider requiring manual approval for temporary elevation of privileges.
© 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation.

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee