CVE-2026-46333
Local privilege escalation exploit for the ptrace_may_access() mm=NULL race condition in pidfd_getfd(2).
When a process is dying and its mm has already been released, the kernel skips the ptrace access check entirely. By racing pidfd_getfd() against process exit, an unprivileged user can steal open file descriptors from a privileged process.
This exploit targets accounts-daemon: it triggers a short-lived child
(via SetIconFile), wins the race to grab the daemon's D-Bus socket FD,
then sends SetShell, SetAccountType, and SetPassword calls to promote
the calling user to a password-known admin account.
The exploit sets the target user's password to a hardcoded value — edit it in the source before building :)
Tested on RHEL 10 and Fedora 44 with dbus-broker (D-Bus socket at FD 5).
make
./ptrace_may_dream [--retries N] [--nthreads N] [fd-slot]
"The process is dead, long live the process." - the kernel, probably