Qualys Security Analysts Discover Critical Linux Kernel Vulnerability Since 2016 Allowing Local Attackers to Obtain Full Root Privileges on Mainstream Linux Distributions
The IT firm Qualys security analysts released detailed advisory information about a critical vulnerability which affects numerous mainstream Linux distributions. Details were released on the Qualys security blog and according to the team
"The flaw has existed unpatched in the heart of the Linux kernel since 2016. The security hole allows a local attacker to bypass conventional permission barriers, obtain full root privileges on the vulnerable system."
The security issue is caused by a small delay in time that occurs when an elevated system process is killed. During this fraction of a second, a root application terminates the connection will briefly remain open, giving any system process the ability to take over its privilege levels. It would appear that it would be possible for malicious processes to exploit this small time window, by gaining root access on the vulnerable machine and initiating custom commands. The flaw, now CVE 2026 46333, was assigned a severity of 5.5 out of a potential 10.
In order to highlight the risk that this security gap presents to many users, 4 proofs of concept were built and made available by the researchers. The tests were run on Ubuntu 24.04, Ubuntu 26.04, Debian 13, Fedora 43, and Fedora 44; all achieved privilege escalation. The researchers caution that other large business class distributions are equally likely to have the same flaw in their code. This includes, but is not limited to: Red Hat Enterprise Linux, SUSE, AlmaLinux and CloudLinux.
The security team disclosed the vulnerability to the Linux kernel security group earlier this month, and a software patch was released three days later. Unfortunately, this has not completely secured all systems, as another proof of concept for the same exploit was posted on line several days later. Systems without the patch are still vulnerable to attacks using local privileges. Administrators need to install the latest kernel from their Linux vendor, otherwise they may need to take manual steps to mitigate this exploit by increasing 'kernel.yama.ptrace_scope' to 2. This will prevent any process from being attached to a larger, more privilege level process.
