{
  "threat_severity" : "Important",
  "public_date" : "2026-05-15T05:55:00Z",
  "bugzilla" : {
    "description" : "kernel: Read root-owned files as an unprivileged user",
    "id" : "2477802",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2477802"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-269",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nptrace: slightly saner 'get_dumpable()' logic\nThe 'dumpability' of a task is fundamentally about the memory image of\nthe task - the concept comes from whether it can core dump or not - and\nmakes no sense when you don't have an associated mm.\nAnd almost all users do in fact use it only for the case where the task\nhas a mm pointer.\nBut we have one odd special case: ptrace_may_access() uses 'dumpable' to\ncheck various other things entirely independently of the MM (typically\nexplicitly using flags like PTRACE_MODE_READ_FSCREDS).  Including for\nthreads that no longer have a VM (and maybe never did, like most kernel\nthreads).\nIt's not what this flag was designed for, but it is what it is.\nThe ptrace code does check that the uid/gid matches, so you do have to\nbe uid-0 to see kernel thread details, but this means that the\ntraditional \"drop capabilities\" model doesn't make any difference for\nthis all.\nMake it all make a *bit* more sense by saying that if you don't have a\nMM pointer, we'll use a cached \"last dumpability\" flag if the thread\never had a MM (it will be zero for kernel threads since it is never\nset), and require a proper CAP_SYS_PTRACE capability to override.", "A vulnerability was found in the Linux kernel that allows an unprivileged local user to read sensitive files normally restricted to the root user. The flaw occurs during process exit, where a brief window allows an attacker to intercept file access from a privileged process before it fully terminates. Successful exploitation may lead to the disclosure of sensitive data such as SSH host private keys or /etc/shadow contents." ],
  "statement" : "This is an Important flaw in the Linux kernel that allows a local unprivileged attacker to read root-owned files. The vulnerability arises from a race condition during process termination, enabling a brief window where sensitive data, such as SSH host private keys or /etc/shadow contents, can be disclosed. This could lead to unauthorized access to sensitive information on affected Red Hat Enterprise Linux systems.\nIn OpenShift Container Platform 4, this flaw is rated Low. The default `restricted-v2` Security Context Constraint (SCC) sets `allowPrivilegeEscalation: false` on all pods, which causes the kernel to ignore setuid file bits and prevents target binaries from opening privileged files, breaking the exploit chain entirely. Under non-default SCCs such as `anyuid` that permit privilege escalation, the vulnerability is constrained by PID and mount namespace isolation to the container's own filesystem. An attacker would only be able to access root-owned files already within the container, not host or cross-pod resources. In practice, containers rarely contain sensitive root-owned files that are not already accessible to the pod user through normal means.",
  "affected_release" : [ {
    "product_name" : "NVIDIA for RHEL 10",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19540",
    "cpe" : "cpe:/a:redhat:enterprise_linux_nvidia:10::el10",
    "package" : "kernel-0:6.12.0-211.8.el10nv"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19569",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.2",
    "package" : "kernel-0:6.12.0-211.16.1.el10_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2026-05-21T00:00:00Z",
    "advisory" : "RHSA-2026:20299",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "kernel-0:6.12.0-55.75.1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19664",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.125.1.rt7.466.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19666",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.125.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2026-05-21T00:00:00Z",
    "advisory" : "RHSA-2026:20130",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.4",
    "package" : "kernel-0:4.18.0-305.192.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
    "release_date" : "2026-05-21T00:00:00Z",
    "advisory" : "RHSA-2026:20130",
    "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4",
    "package" : "kernel-0:4.18.0-305.192.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2026-05-21T00:00:00Z",
    "advisory" : "RHSA-2026:20051",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.6",
    "package" : "kernel-0:4.18.0-372.193.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2026-05-21T00:00:00Z",
    "advisory" : "RHSA-2026:20051",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.6",
    "package" : "kernel-0:4.18.0-372.193.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2026-05-21T00:00:00Z",
    "advisory" : "RHSA-2026:20051",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "kernel-0:4.18.0-372.193.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19521",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.8",
    "package" : "kernel-0:4.18.0-477.143.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19521",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.8",
    "package" : "kernel-0:4.18.0-477.143.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19568",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-687.10.1.el9_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19568",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-687.10.1.el9_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19705",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "kernel-0:5.14.0-70.180.1.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19711",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv",
    "package" : "kernel-rt-0:5.14.0-70.180.1.rt21.252.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-05-26T00:00:00Z",
    "advisory" : "RHSA-2026:20593",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "kernel-0:5.14.0-284.172.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19875",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.172.1.rt14.457.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2026-05-21T00:00:00Z",
    "advisory" : "RHSA-2026:20054",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "kernel-0:5.14.0-427.126.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-05-21T00:00:00Z",
    "advisory" : "RHSA-2026:20129",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "kernel-0:5.14.0-570.116.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Fix deferred",
    "package_name" : "rhcos",
    "cpe" : "cpe:/a:redhat:openshift:4",
    "impact" : "low"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-46333\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-46333\nhttps://blog.qualys.com/vulnerabilities-threat-research/2026/05/20/cve-2026-46333-local-root-privilege-escalation-and-credential-disclosure-in-the-linux-kernel-ptrace-path\nhttps://github.com/torvalds/linux/commit/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a" ],
  "csaw" : true,
  "name" : "CVE-2026-46333",
  "mitigation" : {
    "value" : "See the security bulletin for a detailed mitigation procedure.",
    "lang" : "en:us"
  }
}