Bug 2477802 (CVE-2026-46333)

Summary: CVE-2026-46333 kernel: Read root-owned files as an unprivileged user
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: cchiang, eric.eisenhart, markus.janse, rhel-process-autobot, shalygin.k, victor.cardoso, villapla, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A vulnerability was found in the Linux kernel that allows an unprivileged local user to read sensitive files normally restricted to the root user. The flaw occurs during process exit, where a brief window allows an attacker to intercept file access from a privileged process before it fully terminates. Successful exploitation may lead to the disclosure of sensitive data such as SSH host private keys or /etc/shadow contents.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-05-15 08:30:40 UTC 
Read root-owned files as an unprivileged user. Pre-31e62c2ebbfd kernels (everything in stable as of 2026-05-14).

The bug
__ptrace_may_access() skips the dumpable check when task->mm == NULL. do_exit() runs exit_mm() before exit_files() — no mm, fds still there. pidfd_getfd(2) succeeds in that window when the caller's uid matches the target's.

Reported by Qualys, fixed by Linus 2026-05-14. Jann Horn flagged the FD-theft shape in October 2020. Six years.
Comment 3 errata-xmlrpc 2026-05-20 04:05:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:19521 https://access.redhat.com/errata/RHSA-2026:19521
Comment 4 errata-xmlrpc 2026-05-20 06:48:57 UTC 
This issue has been addressed in the following products:

  NVIDIA for RHEL 10

Via RHSA-2026:19540 https://access.redhat.com/errata/RHSA-2026:19540
Comment 5 errata-xmlrpc 2026-05-20 12:15:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:19569 https://access.redhat.com/errata/RHSA-2026:19569
Comment 6 errata-xmlrpc 2026-05-20 12:57:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:19568 https://access.redhat.com/errata/RHSA-2026:19568
Comment 7 errata-xmlrpc 2026-05-20 13:01:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:19664 https://access.redhat.com/errata/RHSA-2026:19664
Comment 8 errata-xmlrpc 2026-05-20 13:18:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:19666 https://access.redhat.com/errata/RHSA-2026:19666
Comment 9 errata-xmlrpc 2026-05-20 14:21:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:19705 https://access.redhat.com/errata/RHSA-2026:19705
Comment 10 errata-xmlrpc 2026-05-20 15:44:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:19711 https://access.redhat.com/errata/RHSA-2026:19711
Comment 11 errata-xmlrpc 2026-05-20 23:34:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:19875 https://access.redhat.com/errata/RHSA-2026:19875
Comment 12 errata-xmlrpc 2026-05-21 07:28:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:20051 https://access.redhat.com/errata/RHSA-2026:20051
Comment 13 errata-xmlrpc 2026-05-21 12:37:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:20130 https://access.redhat.com/errata/RHSA-2026:20130
Comment 14 errata-xmlrpc 2026-05-21 13:26:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:20054 https://access.redhat.com/errata/RHSA-2026:20054
Comment 15 errata-xmlrpc 2026-05-21 14:04:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:20129 https://access.redhat.com/errata/RHSA-2026:20129
Comment 16 errata-xmlrpc 2026-05-21 17:47:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:20299 https://access.redhat.com/errata/RHSA-2026:20299
Comment 17 errata-xmlrpc 2026-05-26 05:47:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:20593 https://access.redhat.com/errata/RHSA-2026:20593