{"id":17253,"date":"2026-05-16T16:25:03","date_gmt":"2026-05-16T23:25:03","guid":{"rendered":"https:\/\/jasonsblog.ddns.net\/?p=17253"},"modified":"2026-05-16T16:30:11","modified_gmt":"2026-05-16T23:30:11","slug":"ai-just-found-another-linux-zero-day-and-security-researchers-are-freaking-out","status":"publish","type":"post","link":"https:\/\/jasonsblog.ddns.net\/index.php\/2026\/05\/16\/ai-just-found-another-linux-zero-day-and-security-researchers-are-freaking-out\/","title":{"rendered":"AI Just Found Another Linux Zero-Day and Security Researchers Are Freaking Out"},"content":{"rendered":"\n<p>Another good point for Linux is these are getting fixed pretty fast compared to Microsoft&#8217;s slow updates on their closed source software. And in the end Linux will be more secure. Though my Arch based systems have gotten like three kernel updates in the last couple days not to mention my Liquorix kernel updates I run on my desktop, so lots of rebooting. I&#8217;d be curious to know how skilled the researcher is using AI, and how many prompts they&#8217;re running before they find success? <\/p>\n\n\n\n<p><a href=\"https:\/\/linuxstans.com\/ai-just-found-another-linux-zero-day-and-security-researchers-are-freaking-out\/\">https:\/\/linuxstans.com\/ai-just-found-another-linux-zero-day-and-security-researchers-are-freaking-out\/<\/a><\/p>\n\n\n<div class=\"wp-block-ub-divider ub_divider ub-divider-orientation-horizontal\" id=\"ub_divider_9f97063e-ef76-470a-a666-129154abab6c\"><div class=\"ub_divider_wrapper\" style=\"position: relative; margin-bottom: 2px; width: 100%; height: 2px; \" data-divider-alignment=\"center\"><div class=\"ub_divider_line\" style=\"border-top: 2px solid #ccc; margin-top: 2px; \"><\/div><\/div><\/div>\n\n\n<p>By Linux Stans<\/p>\n\n\n\n<p>If you thought the security circus was over after <a href=\"https:\/\/linuxstans.com\/dirty-frag-your-linux-box-has-been-vulnerable-for-9-years-and-nobody-knew\/\">copyfail<\/a>, dirty frag, and fragnesia, think again. The Linux kernel just took another hit with CVE-2026-46333, and the timing couldn\u2019t be worse.<\/p>\n\n\n\n<p>Security researchers dropped this bomb on May 15th, and the community is already calling it \u201cssh-keysign-pwn.\u201d This marks the fourth major kernel vulnerability discovered this month alone, and people are starting to ask some uncomfortable questions about what\u2019s really going on.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What Actually Broke This Time<\/h2>\n\n\n\n<p>The vulnerability lives in the ptrace subsystem, specifically in how the kernel handles the dumpability flag for processes. Here\u2019s the problem: ptrace was checking whether a process could be debugged or traced based on memory management flags that don\u2019t always exist.<\/p>\n\n\n\n<p>When a thread doesn\u2019t have a memory management pointer (think kernel threads or processes that have exited), the old code would still try to use dumpability checks. This created a loophole where attackers with local access could potentially escalate privileges by exploiting the mismatch between what the code assumed and what actually existed.<\/p>\n\n\n\n<p>The kernel team patched this by implementing a cached \u201clast dumpability\u201d value and requiring proper CAP_SYS_PTRACE capabilities to override. Simple fix, massive impact.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Which Versions Got Wrecked<\/h2>\n\n\n\n<p>If you\u2019re running any of these kernel versions, you\u2019re vulnerable:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>5.10 series (fixed in 5.10.256)<\/li>\n\n\n\n<li>5.15 series (fixed in 5.15.207)<\/li>\n\n\n\n<li>6.1 series (fixed in 6.1.173)<\/li>\n\n\n\n<li>6.6 series (fixed in 6.6.139)<\/li>\n\n\n\n<li>6.12 series (fixed in 6.12.89)<\/li>\n\n\n\n<li>6.18 series (fixed in 6.18.31)<\/li>\n\n\n\n<li>7.0 series (fixed in 7.0.8)<\/li>\n<\/ul>\n\n\n\n<p>Basically, if you haven\u2019t updated in the last 48 hours, you probably need to.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The Quick Fix (While You Wait for Patches)<\/h2>\n\n\n\n<p>Can\u2019t deploy kernel updates immediately? Set your ptrace_scope to lockdown mode:<\/p>\n\n\n\n<p><strong>Immediate fix:<\/strong><\/p>\n\n\n\n<p><code>sudo sysctl -w kernel.yama.ptrace_scope=2<\/code><\/p>\n\n\n\n<p><strong>Make it permanent:<\/strong><\/p>\n\n\n\n<p><code>echo 'kernel.yama.ptrace_scope = 2' | sudo tee -a \/etc\/sysctl.d\/99-ptrace-scope.conf<\/code><\/p>\n\n\n\n<p>Setting ptrace_scope to 2 restricts ptrace to admin-only attach. If you want maximum paranoia, set it to 3 for no attach at all. This kills the exploit path completely.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The AI Elephant in the Room<\/h2>\n\n\n\n<p>Here\u2019s where things get interesting. The Reddit community is buzzing with theories that these vulnerabilities are getting discovered at breakneck speed because of AI-powered code analysis. Some developers are pointing fingers at LLMs combing through kernel commits and reverse-engineering security patches within minutes of publication.<\/p>\n\n\n\n<p>One commenter nailed it: \u201cThe issue is that now everyone can be a security researcher with a claude subscription.\u201d<\/p>\n\n\n\n<p>The disclosure timeline is getting compressed to the point where traditional responsible disclosure practices are breaking down. When AI can analyze a security commit and generate an exploit faster than distros can push updates, the entire game changes.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Should You Actually Panic<\/h2>\n\n\n\n<p>Probably not. This is a local privilege escalation bug, which means an attacker needs existing access to your system. If you\u2019re running a hardened server with trusted users only, your risk is low.<\/p>\n\n\n\n<p>The real danger comes from chaining exploits. An attacker could use a remote code execution vulnerability to gain unprivileged access, then leverage CVE-2026-46333 to escalate to root. That\u2019s the nightmare scenario security teams are worried about.<\/p>\n\n\n\n<p>For desktop Linux users, the risk is even lower unless you\u2019re running untrusted code or have compromised user accounts on your system.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What This Really Means<\/h2>\n\n\n\n<p>The frequency of these discoveries is accelerating, and that\u2019s actually good news in disguise. These vulnerabilities have been lurking in the kernel for years. AI is just finding them faster than humans ever could.<\/p>\n\n\n\n<p>The flip side? Bad actors have the same AI tools. The window between patch publication and active exploitation is shrinking to zero. Kernel maintainers are playing whack-a-mole at machine speed now, and the traditional security playbook needs an update.<\/p>\n\n\n\n<p>AlmaLinux has already pushed patches. Fedora and Ubuntu won\u2019t be far behind. If you\u2019re on a rolling release distro, you probably got the fix before you even heard about the vulnerability.<\/p>\n\n\n\n<p><strong>Bottom line:<\/strong> Update your kernel, set your ptrace_scope if you need a temporary fix, and maybe start paying attention to those security update notifications you\u2019ve been ignoring.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Another good point for Linux is these are getting fixed pretty fast compared to Microsoft&#8217;s slow updates on their closed source software. And in the end Linux will be more secure. Though my Arch based systems have gotten like three kernel updates in the last couple days not to mention my Liquorix kernel updates I [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-17253","post","type-post","status-publish","format-standard","hentry","category-tech"],"blocksy_meta":[],"featured_image_src":null,"author_info":{"display_name":"Jason","author_link":"https:\/\/jasonsblog.ddns.net\/index.php\/author\/jturning\/"},"_links":{"self":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/17253","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/comments?post=17253"}],"version-history":[{"count":3,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/17253\/revisions"}],"predecessor-version":[{"id":17256,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/17253\/revisions\/17256"}],"wp:attachment":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/media?parent=17253"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/categories?post=17253"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/tags?post=17253"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}