EGI SVG Advisories

Advisory-EGI-SVG-2026-17

CRITICAL risk Linux kernel vulnerability

Date: 2026-05-15

Updated: 2026-05-29

Updated: 2026-05-21

Updated: 2026-05-18

Updated: 2026-05-15

NOTE:

All running resources MUST be either patched or have mitigation in place or affected services disabled by 2026-05-23, 00:00 UTC.

Sites failing to act or respond to requests from the EGI CSIRT team risk site suspension. See [R 98].

DESCRIPTION

CRITICAL risk vulnerability concerning the Linux kernel allowing a local unprivileged user to read confidential files that should have been inaccessible.

A public Proof-of-Concept (PoC) is available that allows host private SSH keys and /etc/shadow to be read by anyone. It is extensively described at [R 1] [R 2] [R 3] [R 4].

IDs AND CVSS SCORE

EGI SVG ID : EGI-SVG-2026-17

CVE ID : CVE-2026-46333

CVSSv3 Score:

ACTIONS REQUIRED/RECOMMENDED

Urgent action is required on hosts giving access to unprivileged users such as grid worker nodes.

Please apply mitigation commands from [R 3] on affected hosts as soon as possible!

At the time of writing, patched kernels are only available for very few relevant distributions. AlmaLinux has patches available: see [R 4].

STATUS OF THIS ADVISORY

TLP:CLEAR information - Unlimited distribution

https://advisories.egi.eu/Advisory-EGI-SVG-2026-17

https://advisories.egi.eu/Advisory-SVG-CVE-2026-46333

Minor updates may be made without re-distribution to the sites.

CONTACT AND OTHER INFORMATION ON SVG


This advisory is subject to the Creative Commons licence 
https://creativecommons.org/licenses/by/4.0/ and
the EGI (https://www.egi.eu/) Software Vulnerability Group 
must be credited. -----------------------------

See [R 99] for further details, and other information on SVG.

REFERENCES

CREDITS

SVG was alerted to this vulnerability by the EGI CSIRT among others.