CVE-2026-46333
Description
In the Linux kernel, the following vulnerability has been resolved:
ptrace: slightly saner 'get_dumpable()' logic
The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm.
And almost all users do in fact use it only for the case where the task has a mm pointer.
But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads).
It's not what this flag was designed for, but it is what it is.
The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional "drop capabilities" model doesn't make any difference for this all.
Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached "last dumpability" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A logic bug in Linux kernel's __ptrace_may_access() allows unprivileged users to read root-owned files by exploiting a race window during task exit.
Vulnerability
A logic bug in __ptrace_may_access() in the Linux kernel's ptrace subsystem (present in all versions prior to commit 31e62c2ebbfd) allows bypassing the dumpable check when task->mm is NULL. This occurs because get_dumpable() is used to enforce access controls even when the target task has no memory descriptor, improperly authorizing access to tasks that have not yet acquired or have already released their mm [1][2][3]. The vulnerability affects all kernels before the fix was applied (2026-05-14).
Exploitation
An unprivileged local attacker can exploit this by racing the exit of a privileged process. During do_exit(), exit_mm() runs before exit_files(), leaving file descriptors open while task->mm is already NULL. The attacker uses pidfd_getfd(2) to duplicate a file descriptor from the target task in that window, provided the caller's UID matches the target's [4]. The race window is small but can be reliably hit within 100–2000 spawns [4].
Impact
Successful exploitation allows an unprivileged attacker to read root-owned files, such as /etc/shadow and SSH host private keys (/etc/ssh/ssh_host_*_key), leading to offline password cracking or SSH impersonation [4]. This compromises system confidentiality and can facilitate lateral movement.
Mitigation
The vulnerability is fixed in Linux kernel commit 31e62c2ebbfd (2026-05-14). All users should update to a kernel containing this fix. No workaround exists; the bug must be patched [2][3].
- security - Re: Multiple vulnerabilities in AppArmor
- security - Re: Logic bug in the Linux kernel's __ptrace_may_access() function
- security - Re: Logic bug in the Linux kernel's __ptrace_may_access() function
- GitHub - 0xdeadbeefnetwork/ssh-keysign-pwn: Steal SSH host private keys and /etc/shadow via the ptrace_may_access mm-NULL bypass + pidfd_getfd. Pre-31e62c2ebbfd kernels.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
831e62c2ebbfd2a93a4fac7b615b828a46f3001363cb3fbd06e5b51e74a4093d4ba49d18e4709234fd1b98f907d345baeVulnerability mechanics
Root cause
"The ptrace_may_access() function uses the task's dumpable flag to authorize access even when the task has no memory descriptor (mm), allowing unprivileged users to inspect kernel threads without proper capability checks."
Attack vector
An attacker with local access and low privileges (e.g., a regular user) can call ptrace-related operations (such as PTRACE_MODE_READ_FSCREDS) on kernel threads or other tasks that lack an mm pointer. Because the dumpable flag is never set for kernel threads (it defaults to zero), and the existing uid/gid check only requires root, a non-root user who has dropped capabilities can still inspect these threads. The attacker does not need to interact with any memory-mapped state; the bug is triggered purely through the ptrace access control path [CWE-269].
Affected code
The vulnerability lies in the ptrace_may_access() function and the get_dumpable() logic in the Linux kernel's ptrace and fs/exec code paths. The advisory does not specify exact file paths or function names beyond the general ptrace subsystem and the dumpable flag handling.
What the fix does
The patch set modifies the dumpable logic so that when a task has no mm pointer, the code uses a cached "last dumpability" value (if the task ever had an mm) or falls back to requiring CAP_SYS_PTRACE. This closes the loophole where a task without an mm (e.g., a kernel thread) would report dumpable=0, which the old ptrace_may_access() path treated as "accessible" without requiring the proper capability. The fix ensures that kernel threads and other mm-less tasks are only accessible to callers holding CAP_SYS_PTRACE [patch_id=424469, patch_id=424470, patch_id=424471, patch_id=424472, patch_id=424473, patch_id=424474, patch_id=424475].
Preconditions
- authAttacker must have local access to the system (low-privilege user account)
- inputAttacker must be able to invoke ptrace operations (e.g., PTRACE_MODE_READ_FSCREDS) on target tasks
Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- www.openwall.com/lists/oss-security/2026/05/15/9nvd
- www.openwall.com/lists/oss-security/2026/05/20/14nvd
- www.openwall.com/lists/oss-security/2026/05/20/16nvd
- git.kernel.org/stable/c/01363cb3fbd0238ffdeb09f53e9039c9edf8a730nvd
- git.kernel.org/stable/c/15b828a46f305ae9f05a7c16914b3ce273474205nvd
- git.kernel.org/stable/c/2a93a4fac7b6051d3be7cd1b015fe7320cd0404dnvd
- git.kernel.org/stable/c/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3anvd
- git.kernel.org/stable/c/4709234fd1b95136ceb789f639b1e7ea5de1b181nvd
- git.kernel.org/stable/c/6e5b51e74a40d377bcd3081dd33fbaa0e1aa7e3dnvd
- git.kernel.org/stable/c/8f907d345bae8f4b3f004c5abc56bf2dfb851ea7nvd
- git.kernel.org/stable/c/93d4ba49d18e3d7fb41a9927c2d0cca5e9dfefd6nvd
- lists.debian.org/debian-lts-announce/2026/05/msg00032.htmlnvd
- lists.debian.org/debian-lts-announce/2026/05/msg00035.htmlnvd
News mentions
3- DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE VulnerabilityThe Hacker News · May 19, 2026
- Linux kernel flaw opens root-only files to unprivileged usersThe Register Security · May 18, 2026
- ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and MoreThe Hacker News · May 18, 2026