# ptrace_may_dream

CVE-2026-46333

Local privilege escalation exploit for the ptrace_may_access() mm=NULL
race condition in pidfd_getfd(2).

When a process is dying and its mm has already been released, the kernel
skips the ptrace access check entirely.  By racing pidfd_getfd() against
process exit, an unprivileged user can steal open file descriptors from
a privileged process.

This exploit targets accounts-daemon: it triggers a short-lived child
(via `SetIconFile`), wins the race to grab the daemon's D-Bus socket FD,
then sends `SetShell`, `SetAccountType`, and `SetPassword` calls to promote
the calling user to a password-known admin account.

The exploit sets the target user's password to a hardcoded value — edit it in the source before building :)

Tested on RHEL 10 and Fedora 44 with dbus-broker (D-Bus socket at FD 5).

## Build and usage

    make
    ./ptrace_may_dream [--retries N] [--nthreads N] [fd-slot]

---

"The process is dead, long live the process." - the kernel, probably