Bug 2477802 (CVE-2026-46333) - CVE-2026-46333 kernel: Read root-owned files as an unprivileged user
Summary: CVE-2026-46333 kernel: Read root-owned files as an unprivileged user
Keywords:
Status: NEW
Alias: CVE-2026-46333
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-15 08:30 UTC by OSIDB Bzimport
Modified: 2026-05-21 17:47 UTC (History)
8 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:19521 0 None None None 2026-05-20 04:05:05 UTC
Red Hat Product Errata RHSA-2026:19540 0 None None None 2026-05-20 06:48:58 UTC
Red Hat Product Errata RHSA-2026:19568 0 None None None 2026-05-20 12:57:56 UTC
Red Hat Product Errata RHSA-2026:19569 0 None None None 2026-05-20 12:15:56 UTC
Red Hat Product Errata RHSA-2026:19664 0 None None None 2026-05-20 13:01:06 UTC
Red Hat Product Errata RHSA-2026:19666 0 None None None 2026-05-20 13:18:30 UTC
Red Hat Product Errata RHSA-2026:19705 0 None None None 2026-05-20 14:21:52 UTC
Red Hat Product Errata RHSA-2026:19711 0 None None None 2026-05-20 15:44:10 UTC
Red Hat Product Errata RHSA-2026:19875 0 None None None 2026-05-20 23:34:12 UTC
Red Hat Product Errata RHSA-2026:20051 0 None None None 2026-05-21 07:28:55 UTC
Red Hat Product Errata RHSA-2026:20054 0 None None None 2026-05-21 13:26:14 UTC
Red Hat Product Errata RHSA-2026:20129 0 None None None 2026-05-21 14:04:13 UTC
Red Hat Product Errata RHSA-2026:20130 0 None None None 2026-05-21 12:37:55 UTC
Red Hat Product Errata RHSA-2026:20299 0 None None None 2026-05-21 17:47:06 UTC

Description OSIDB Bzimport 2026-05-15 08:30:40 UTC 
Read root-owned files as an unprivileged user. Pre-31e62c2ebbfd kernels (everything in stable as of 2026-05-14).

The bug
__ptrace_may_access() skips the dumpable check when task->mm == NULL. do_exit() runs exit_mm() before exit_files() — no mm, fds still there. pidfd_getfd(2) succeeds in that window when the caller's uid matches the target's.

Reported by Qualys, fixed by Linus 2026-05-14. Jann Horn flagged the FD-theft shape in October 2020. Six years.
Comment 3 errata-xmlrpc 2026-05-20 04:05:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:19521 https://access.redhat.com/errata/RHSA-2026:19521
Comment 4 errata-xmlrpc 2026-05-20 06:48:57 UTC 
This issue has been addressed in the following products:

  NVIDIA for RHEL 10

Via RHSA-2026:19540 https://access.redhat.com/errata/RHSA-2026:19540
Comment 5 errata-xmlrpc 2026-05-20 12:15:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:19569 https://access.redhat.com/errata/RHSA-2026:19569
Comment 6 errata-xmlrpc 2026-05-20 12:57:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:19568 https://access.redhat.com/errata/RHSA-2026:19568
Comment 7 errata-xmlrpc 2026-05-20 13:01:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:19664 https://access.redhat.com/errata/RHSA-2026:19664
Comment 8 errata-xmlrpc 2026-05-20 13:18:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:19666 https://access.redhat.com/errata/RHSA-2026:19666
Comment 9 errata-xmlrpc 2026-05-20 14:21:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:19705 https://access.redhat.com/errata/RHSA-2026:19705
Comment 10 errata-xmlrpc 2026-05-20 15:44:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:19711 https://access.redhat.com/errata/RHSA-2026:19711
Comment 11 errata-xmlrpc 2026-05-20 23:34:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:19875 https://access.redhat.com/errata/RHSA-2026:19875
Comment 12 errata-xmlrpc 2026-05-21 07:28:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:20051 https://access.redhat.com/errata/RHSA-2026:20051
Comment 13 errata-xmlrpc 2026-05-21 12:37:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:20130 https://access.redhat.com/errata/RHSA-2026:20130
Comment 14 errata-xmlrpc 2026-05-21 13:26:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:20054 https://access.redhat.com/errata/RHSA-2026:20054
Comment 15 errata-xmlrpc 2026-05-21 14:04:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:20129 https://access.redhat.com/errata/RHSA-2026:20129
Comment 16 errata-xmlrpc 2026-05-21 17:47:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:20299 https://access.redhat.com/errata/RHSA-2026:20299
Note You need to log in before you can comment on or make changes to this bug.