## https://sploitus.com/exploit?id=D22D997F-8A5F-5B9B-ADC6-290B253ED538
# ptrace_may_dream
CVE-2026-46333
Local privilege escalation exploit for the ptrace_may_access() mm=NULL
race condition in pidfd_getfd(2).
When a process is dying and its mm has already been released, the kernel
skips the ptrace access check entirely. By racing pidfd_getfd() against
process exit, an unprivileged user can steal open file descriptors from
a privileged process.
This exploit targets accounts-daemon: it triggers a short-lived child
(via SetIconFile), wins the race to grab the daemon's D-Bus socket FD,
then sends SetShell, SetAccountType, and SetPassword calls to promote
the calling user to a password-known admin account.
Exploit set the user password: set it accordingly :)
Tested on RHEL 10 and Fedora 44 with dbus-broker (D-Bus socket at FD 5).
## Build and usage
make
./ptrace_may_dream [--retries N] [--nthreads N] [fd-slot]
---
"The process is dead, long live the process." -- the kernel, probably