Skip to main content

Linux Kernel EUVDEUVD-2026-30540

| CVE-2026-46333 HIGH
Improper Privilege Management (CWE-269)
2026-05-15 Linux GHSA-pm8f-4p6p-6x53
7.1
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Red Hat
7.8 HIGH
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

8
Analysis Updated
May 20, 2026 - 17:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 20, 2026 - 17:22 vuln.today
cvss_changed
Severity Changed
May 20, 2026 - 17:22 NVD
MEDIUM HIGH
CVSS changed
May 20, 2026 - 17:22 NVD
5.5 (MEDIUM) 7.1 (HIGH)
Analysis Generated
May 18, 2026 - 13:23 vuln.today
CVSS changed
May 18, 2026 - 13:22 NVD
5.5 (MEDIUM)
Patch available
May 15, 2026 - 15:02 EUVD
CVE Published
May 15, 2026 - 12:58 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ptrace: slightly saner 'get_dumpable()' logic

The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm.

And almost all users do in fact use it only for the case where the task has a mm pointer.

But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads).

It's not what this flag was designed for, but it is what it is.

The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional "drop capabilities" model doesn't make any difference for this all.

Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached "last dumpability" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.

AnalysisAI

Local privilege escalation in the Linux kernel ptrace subsystem allows authenticated users to bypass the traditional capability-dropping security model when accessing kernel thread details via PTRACE_MODE_READ_FSCREDS checks. The flaw stems from get_dumpable() logic returning misleading values for tasks without an associated memory map (mm), enabling uid-0 processes that have dropped capabilities to still read sensitive kernel thread information. Publicly available exploit code exists (referenced in OSS-security and a GitHub PoC against ssh-keysign), though EPSS scoring (0.02%) indicates low likelihood of widespread exploitation.

Technical ContextAI

The vulnerability resides in the Linux kernel's ptrace subsystem, specifically in how ptrace_may_access() uses the 'dumpable' flag from get_dumpable() to gate access decisions. The 'dumpable' concept was originally designed around core-dump eligibility tied to a task's memory image (mm_struct), but ptrace repurposes it for access control even on tasks without an mm - such as kernel threads. This creates a CWE-269 (Improper Privilege Management) condition where the standard capability model (drop CAP_SYS_PTRACE to limit access) becomes ineffective for kernel-thread inspection. The fix caches a 'last dumpability' flag for tasks that once had an mm (zero for kernel threads that never had one) and requires explicit CAP_SYS_PTRACE to override.

RemediationAI

Vendor-released patches are available - upgrade to Linux kernel 5.10.256, 5.15.207, 6.1.173, 6.6.139, 6.12.89, 6.18.31, or 7.0.8 (whichever matches your stable branch) per the kernel.org stable commits and Debian LTS announcements (https://lists.debian.org/debian-lts-announce/2026/05/msg00032.html). Distribution users should apply vendor-backported updates as they appear (Debian, Ubuntu, RHEL, SUSE). As a compensating control until patching, restrict shell access to trusted users only and audit any setuid/capability-bearing binaries that rely on ptrace permission boundaries (notably ssh-keysign, which is the subject of the public PoC), since removing or chmod 0700'ing ssh-keysign disables host-based authentication but breaks that feature. Consider enabling /proc/sys/kernel/yama/ptrace_scope=2 or 3 to restrict ptrace to CAP_SYS_PTRACE holders only, accepting that this will break legitimate debuggers like gdb attaching to running processes.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
Container suse/sle-micro-rancher/5.3:latest Container suse/sle-micro-rancher/5.4:5.4.4.5.109 Image SLES15-SP4-BYOS Image SLES15-SP4-BYOS-Azure Image SLES15-SP4-BYOS-EC2 Image SLES15-SP4-BYOS-GCE Image SLES15-SP4-CHOST-BYOS Image SLES15-SP4-CHOST-BYOS-Aliyun Image SLES15-SP4-CHOST-BYOS-Azure Image SLES15-SP4-CHOST-BYOS-EC2 Image SLES15-SP4-CHOST-BYOS-GCE Image SLES15-SP4-CHOST-BYOS-SAP-CCloud Image SLES15-SP4-HPC-BYOS Image SLES15-SP4-HPC-BYOS-Azure Image SLES15-SP4-HPC-BYOS-EC2 Image SLES15-SP4-HPC-BYOS-GCE Image SLES15-SP4-HPC-EC2 Image SLES15-SP4-HPC-GCE Image SLES15-SP4-Hardened-BYOS Image SLES15-SP4-Hardened-BYOS-Azure Image SLES15-SP4-Hardened-BYOS-EC2 Image SLES15-SP4-Hardened-BYOS-GCE Image SLES15-SP4-SAP Image SLES15-SP4-SAP-Azure Image SLES15-SP4-SAP-EC2 Image SLES15-SP4-SAP-GCE Image SLES15-SP4-SAPCAL Image SLES15-SP4-SAPCAL-Azure Image SLES15-SP4-SAPCAL-EC2 Image SLES15-SP4-SAPCAL-GCE Affected
Container suse/sle-micro/base-5.5:2.0.4-5.8.274 Image SLES15-SP5-BYOS-Azure Image SLES15-SP5-BYOS-EC2 Image SLES15-SP5-BYOS-GCE Image SLES15-SP5-CHOST-BYOS-Aliyun Image SLES15-SP5-CHOST-BYOS-Azure Image SLES15-SP5-CHOST-BYOS-EC2 Image SLES15-SP5-CHOST-BYOS-GCE Image SLES15-SP5-CHOST-BYOS-GDC Image SLES15-SP5-CHOST-BYOS-SAP-CCloud Image SLES15-SP5-EC2 Image SLES15-SP5-GCE Image SLES15-SP5-HPC-BYOS-Azure Image SLES15-SP5-HPC-BYOS-EC2 Image SLES15-SP5-HPC-BYOS-GCE Image SLES15-SP5-Hardened-BYOS-Azure Image SLES15-SP5-Hardened-BYOS-EC2 Image SLES15-SP5-Hardened-BYOS-GCE Image SLES15-SP5-SAPCAL-Azure Image SLES15-SP5-SAPCAL-EC2 Image SLES15-SP5-SAPCAL-GCE Affected
Container suse/sle-micro/kvm-5.5:2.0.4-3.5.529 Affected
Container suse/sle-micro/rt-5.5:2.0.4-4.5.586 Affected
Image SLES12-SP5-Azure-BYOS Image SLES12-SP5-Azure-HPC-BYOS Image SLES12-SP5-EC2-BYOS Image SLES12-SP5-EC2-ECS-On-Demand Image SLES12-SP5-EC2-On-Demand Image SLES12-SP5-GCE-BYOS Image SLES12-SP5-GCE-On-Demand Affected

Share

EUVD-2026-30540 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy