VSA-2026-016: Linux Kernel ptrace and RDS Local Privilege Escalation (CVE-2026-46333, CVE-2026-43494)
| Published | Updated | Severity | CVSS 4.0 | Affected products |
|---|---|---|---|---|
| 2026-06-02 | 2026-06-02 | 🟠Moderate | 5.5 and 7.8 | XCP-ng, XOA |
Two Linux kernel vulnerabilities and their associated CVEs (CVE-2026-46333, CVE-2026-43494) have been disclosed, along with exploits leveraging them. For Vates products, we classify the impact as Moderate: XCP-ng and XOA are affected. For details on how we assign severity levels, see our Severity Levels Explained page.
Summary​
Both vulnerabilities are Local Privilege Escalation:
- Vulnerability CVE-2026-46333 is in the kernel's ptrace sub-system. Incorrect tracking of a user's privilege level when a task is exiting could allow an unprivileged local user to escalate to root by writing to file descriptors they are not supposed to have access to. Changes made to potentially root-owned files are persisted across reboots.
- Vulnerability CVE-2026-43494 is in the kernel's RDS module. A double-free of pinned pages in the transmit error path could allow an unprivileged local user to escalate to root by modifying page caches for file-backed files — for example, overwriting a SUID binary in the page cache with a shellcode. Changes are not persistent across reboots.
There are public exploits leveraging these:
- "ssh-keysign-pwn" and "ptrace_may_dream" are exploits leveraging CVE-2026-46333.
- "pintheft" is an exploit leveraging CVE-2026-43494.
Impact​
An unprivileged local user can escalate privileges to root:
- This is limited in XCP-ng as very few processes are running as other users than root.
- In XOA that could be more impactful as there are network-available services running as unprivileged users.
Affected Versions​
- XCP-ng is impacted by CVE-2026-46333 and CVE-2026-43494.
- XOA is impacted by CVE-2026-46333 and CVE-2026-43494.
Mitigation​
It is possible to blacklist the rds module on both XCP-ng and XOA to neutralize CVE-2026-43494, as this module is not used in standard deployments. There is no practical mitigation for CVE-2026-46333 short of applying the kernel update, as the ptrace sub-system cannot be disabled.
Resolution​
As of 2026-06-02:
- XCP-ng 8.3:
kernel-4.19.19-8.0.46.5.xcpng8.3: Includes the fixes for both CVE-2026-46333 and CVE-2026-43494.
- XOA:
- CVE-2026-46333 is fixed in Debian's kernel version
6.1.174-1. XOA's unattended update mechanism should already have automatically updated the kernel of XOA VMs with a fixed one. - CVE-2026-43494 is not yet fixed in Debian as of 2026-06-02. This page will be updated once a fix is available.
- CVE-2026-46333 is fixed in Debian's kernel version
For the XOA update to be effective, the XOA VM needs to be restarted.
Users running their XOA instance for a long time might be on older versions of Debian, the unattended update mechanism keeps the base version and does not upgrade the base Operating System. Only Debian 11 and 12 have updates, people on older versions will need to upgrade their XOA VM.