Another major Linux security flaw revealed — nine-year old issue could spell disaster for users

News
By published

Experts find a way to elevate normal Linux users' privileges to root

Linux penguin logo on wood
(Image credit: Pixababy)
  • Qualys discloses CVE‑2026‑46333, a Linux flaw present since 2016 which lets unprivileged users briefly hijack privileged processes to gain admin access
  • Exploits were confirmed on default installs of Debian, Ubuntu, and Fedora
  • Admins should apply updates immediately

Security researchers Qualys discovered a major flaw in the Linux operating system (OS) that could let any ordinary user, or malicious actor, gain full admin access on vulnerable endpoints.

This bug lingered in Linux systems since 2016, and affects the default installations of several major distributions, including Red Hat, SUSE, Debian, Fedora, AlmaLinux, CloudLinux, and others.

Qualys says attackers could use it to view sensitive files or run commands with the highest level of system control.

Latest Videos From

Working exploits

The vulnerability is now tracked as CVE-2026-46333 and has a severity score of 5.5/10 (medium). It works by exploiting a narrow window in which a privileged process dropping its credentials remains reachable.

When a program with admin-level privileges is in the process of shutting down, Linux is supposed to immediately cut off other programs from peeking into it. CVE-2026-46333 means that cut-off happens a fraction of a second too late, allowing normal, unprivileged users to exploit that tiny gap.

During that window, the attacker can use a feature to grab a copy of the dying privileged program’s open connections and files before they disappear.

Qualys built four working exploits demonstrating the practical danger, confirming they work on default installs of Debian 13, Ubuntu 24.04/26.04, Fedora 43, and Fedora 44.

The researchers reported the flaw privately to the Linux kernel security team on May 11, 2026, and the team came back with a patch three days later, on May 14. Shortly after, an independent exploit derived from the public commit appeared, effectively breaking the embargo and prompting the full advisory release.

Administrators are advised to apply the kernel update from their distribution immediately. Those that cannot patch immediately should raise kernel.yama.ptrace_scope to 2 to block public exploits.

Hosts that had untrusted local users during the exposure windows are advised to treat SSH host keys and locally cached credentials as compromised and should rotate them as soon as possible.

Via The Hacker News

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.