CVE-2026-46333: New Linux Kernel Flaw Lets Unprivileged Users Read Root-Only Files

A new Linux kernel vulnerability, tracked as CVE-2026-46333, has been disclosed that allows unprivileged local users to read files that should only be accessible to the root user. The flaw, reported by security consultancy Qualys on the oss-security mailing list, affects a wide range of long-term support (LTS) kernel versions, including 5.10, 5.15, 6.1, 6.6, 6.12, 6.18, and 7.0. An attacker with local access to an affected system could exploit this bug to steal sensitive credentials such as SSH private keys, password hashes, or other confidential data stored in root-only files.

The vulnerability stems from a logic error in the kernel's `get_dumpable()` function, which controls whether a process's memory can be dumped for debugging or core analysis. Under certain conditions, the flawed logic allows an unprivileged process to read files that would normally be protected by the kernel's permission checks. A proof-of-concept exploit, dubbed "ssh-keysign-pwn" on GitHub, demonstrates how an attacker can leverage the bug to access SSH keys and other secrets. The issue was originally reported by security researcher Jann Horn on the Linux Kernel Mailing List as far back as 2020, but it was only recently addressed.

Linus Torvalds himself committed the fix in commit `31e62c2`, which he described as "ptrace: slightly saner 'get_dumpable()' logic." The patch corrects the permission-checking logic to prevent unprivileged users from bypassing file access restrictions. The fix has been merged into the mainline kernel and is expected to be backported to the affected LTS branches. System administrators are strongly advised to apply the patch as soon as it becomes available for their distributions.

The impact of CVE-2026-46333 is significant because it does not require any special privileges beyond local user access. On multi-user servers, cloud instances, or shared hosting environments, an attacker who has already gained a foothold could escalate their access by stealing root-level credentials. The vulnerability is particularly dangerous on systems where SSH key-based authentication is used for remote administration, as compromised keys could lead to lateral movement or persistent access.

This disclosure comes amid a wave of high-profile Linux kernel vulnerabilities, including "Dirty Frag" and "Fragnesia," which have drawn attention to the kernel's attack surface. The article also highlights a new defensive tool called ModuleJail, created by developer Jasper Nuyens, which automates the blacklisting of unused kernel modules. By identifying and disabling modules that are not currently in use, ModuleJail reduces the kernel's attack surface, making it harder for attackers to exploit vulnerabilities in rarely used drivers. The tool avoids modifying the initramfs, making it suitable for server deployments where hardware configurations are stable.

While ModuleJail is not a direct fix for CVE-2026-46333, it represents a proactive security measure that can help mitigate future kernel flaws. The tool's approach is not entirely new—blacklisting unused modules has been documented in Red Hat Enterprise Linux documentation and security blogs—but ModuleJail simplifies the process by automating module identification. For administrators managing critical infrastructure, combining prompt patching with attack surface reduction techniques like ModuleJail can significantly improve security posture.

As the Linux kernel continues to face scrutiny from both security researchers and attackers, the discovery of CVE-2026-46333 underscores the importance of rigorous code review and timely patching. Organizations should prioritize updating their kernels to include the fix and consider adopting additional hardening measures to protect against local privilege escalation and information disclosure attacks.