Analysis updated 2026-05-18
Test whether a Linux server is vulnerable to CVE-2026-46333 before patching.
Study how a kernel race condition during process exit can leak privileged file descriptors.
Demonstrate SSH host key or shadow file theft in a security training or lab environment.
| 0xblackash/cve-2026-46333 | badlogic/mcugdx | jakobfriedl/asyncscan-bof | |
|---|---|---|---|
| Stars | 17 | 17 | 17 |
| Language | C | C | C |
| Last pushed | — | 2025-07-09 | — |
| Maintenance | — | Stale | — |
| Setup difficulty | moderate | hard | hard |
| Complexity | 4/5 | 4/5 | 4/5 |
| Audience | researcher | developer | ops devops |
Figures from each repo's GitHub metadata at analysis time.
Must run on a matching vulnerable kernel version to reproduce the exploit.
This repository contains a proof-of-concept exploit for CVE-2026-46333, a security vulnerability in the Linux kernel discovered by Qualys and patched in May 2026. A proof-of-concept in this context is a working demonstration that confirms the vulnerability is real and exploitable, used by security researchers and system administrators to test whether systems are at risk. The underlying vulnerability is a race condition in the kernel's process exit sequence. A race condition is a bug where two or more things happening at nearly the same time produce an unexpected outcome because the order of operations is not properly controlled. In this case, a specific window exists during the shutdown of certain privileged programs (ones with elevated file access, like the SSH key signing helper) where the kernel's permission check is bypassed. An attacker without any special privileges on the system can exploit that window to grab copies of file descriptors that the privileged process had open, meaning they can read files they normally cannot access. The practical impact shown in the README is significant: an unprivileged local user can steal the server's SSH host private key (the file the server uses to prove its identity to clients) and dump the /etc/shadow file (which contains hashed passwords for all accounts on the system). Both outcomes can be used in further attacks. The repository contains two C source files: one targeting the SSH host key and one targeting the shadow file via a different privileged helper program called chage. Both compile without external dependencies and run as standalone programs. The README recommends updating the kernel to any version containing the patch commit listed, or to the latest stable kernel from your distribution. It also notes that disabling SSH key signing in the server configuration removes the SSH key attack surface if that feature is not needed. The project is released under the MIT license and includes a disclaimer limiting use to authorized security research and testing.
A proof of concept exploit for a Linux kernel race condition that lets an unprivileged local user steal SSH host keys or the shadow password file.
Mainly C. The stack also includes C, Linux Kernel.
MIT license, but the repo's disclaimer limits use to authorized security research and testing.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.