whatisgithub

What is cve-2026-46333?

0xblackash/cve-2026-46333 — explained in plain English

Analysis updated 2026-05-18

17CAudience · researcherComplexity · 4/5LicenseSetup · moderate

In one sentence

A proof of concept exploit for a Linux kernel race condition that lets an unprivileged local user steal SSH host keys or the shadow password file.

Mindmap

mindmap
  root((CVE PoC))
    What it does
      Kernel race condition
      Steals SSH key
      Dumps shadow file
    Tech stack
      C
      Linux kernel
    Use cases
      Test system risk
      Study race conditions
      Security training
    Audience
      Security researchers
      Sysadmins

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Test whether a Linux server is vulnerable to CVE-2026-46333 before patching.

USE CASE 2

Study how a kernel race condition during process exit can leak privileged file descriptors.

USE CASE 3

Demonstrate SSH host key or shadow file theft in a security training or lab environment.

What is it built with?

CLinux Kernel

How does it compare?

0xblackash/cve-2026-46333badlogic/mcugdxjakobfriedl/asyncscan-bof
Stars171717
LanguageCCC
Last pushed2025-07-09
MaintenanceStale
Setup difficultymoderatehardhard
Complexity4/54/54/5
Audienceresearcherdeveloperops devops

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Must run on a matching vulnerable kernel version to reproduce the exploit.

MIT license, but the repo's disclaimer limits use to authorized security research and testing.

So what is it?

This repository contains a proof-of-concept exploit for CVE-2026-46333, a security vulnerability in the Linux kernel discovered by Qualys and patched in May 2026. A proof-of-concept in this context is a working demonstration that confirms the vulnerability is real and exploitable, used by security researchers and system administrators to test whether systems are at risk. The underlying vulnerability is a race condition in the kernel's process exit sequence. A race condition is a bug where two or more things happening at nearly the same time produce an unexpected outcome because the order of operations is not properly controlled. In this case, a specific window exists during the shutdown of certain privileged programs (ones with elevated file access, like the SSH key signing helper) where the kernel's permission check is bypassed. An attacker without any special privileges on the system can exploit that window to grab copies of file descriptors that the privileged process had open, meaning they can read files they normally cannot access. The practical impact shown in the README is significant: an unprivileged local user can steal the server's SSH host private key (the file the server uses to prove its identity to clients) and dump the /etc/shadow file (which contains hashed passwords for all accounts on the system). Both outcomes can be used in further attacks. The repository contains two C source files: one targeting the SSH host key and one targeting the shadow file via a different privileged helper program called chage. Both compile without external dependencies and run as standalone programs. The README recommends updating the kernel to any version containing the patch commit listed, or to the latest stable kernel from your distribution. It also notes that disabling SSH key signing in the server configuration removes the SSH key attack surface if that feature is not needed. The project is released under the MIT license and includes a disclaimer limiting use to authorized security research and testing.

Copy-paste prompts

Prompt 1
Explain how the race condition in CVE-2026-46333 bypasses the kernel's permission check during process exit.
Prompt 2
Help me compile and run this PoC safely in an isolated test VM to check if my kernel is patched.
Prompt 3
What kernel version do I need to patch this CVE-2026-46333 vulnerability?
Prompt 4
Walk me through how file descriptor stealing works in this exploit.

Frequently asked questions

What is cve-2026-46333?

A proof of concept exploit for a Linux kernel race condition that lets an unprivileged local user steal SSH host keys or the shadow password file.

What language is cve-2026-46333 written in?

Mainly C. The stack also includes C, Linux Kernel.

What license does cve-2026-46333 use?

MIT license, but the repo's disclaimer limits use to authorized security research and testing.

How hard is cve-2026-46333 to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is cve-2026-46333 for?

Mainly researcher.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.