git404hub

what is ptrace_may_dream fr?

sgkdev/ptrace_may_dream — explained in plain English

Analysis updated 2026-05-18

11CAudience · researcherComplexity · 5/5Setup · hard

tl;dr

A proof-of-concept exploit for CVE-2026-46333, a race in ptrace_may_access that lets a local user steal a file descriptor from accounts-daemon over D-Bus.

vibe map

mindmap
  root((ptrace_may_dream))
    Inputs
      Retry count
      Thread count
      FD slot
    Outputs
      Stolen D-Bus FD
      Modified user account
    Use Cases
      Reproduce CVE locally
      Study kernel race bugs
      Test patch effectiveness
    Tech Stack
      C
      Linux kernel
      D-Bus

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

what do people make with this?

VIBE 1

Reproduce CVE-2026-46333 on a patched test VM to verify defenses

VIBE 2

Study the pidfd_getfd race against process exit in ptrace_may_access

VIBE 3

Test detection rules for D-Bus FD theft from accounts-daemon

VIBE 4

Compare RHEL 10 and Fedora 44 behavior under the same exploit

what's the stack?

CLinuxD-Bus

how it stacks up fr

sgkdev/ptrace_may_dream0xhossam/uncannyalexanderpach/low-latency-audio-pipeline
Stars111212
LanguageCCC
Setup difficultyhardhardmoderate
Complexity5/55/54/5
Audienceresearcherresearcherdeveloper

Figures from each repo's GitHub metadata at analysis time.

how do i run it?

Difficulty · hard time til it works · 1day+

Targets specific kernels on RHEL 10 and Fedora 44, requires editing a hardcoded password, and is a destructive PoC that should only run on isolated test systems.

in plain english

This repository is a proof of concept exploit for a Linux kernel security flaw, tracked as CVE-2026-46333. The README explains, in technical terms, that the bug is a race condition inside a kernel function called ptrace_may_access. When a process is dying and the kernel has already released its memory map, the access check that normally protects one process from peeking into another is skipped. The exploit races a system call called pidfd_getfd against process exit to steal file descriptors from a more privileged process. In plain terms, the kernel briefly opens a small window where an unprivileged user on the same Linux machine can reach into a privileged program and borrow one of its open connections. The README says the demonstration targets a system service called accounts-daemon. By stealing the daemon's connection to D-Bus, the program then sends commands that change another user account, setting its shell, account type, and password, which promotes the attacker to an administrator with a known password. The author notes that the exploit hardcodes the password it sets and tells anyone building it to edit that value in the source first. It has been tested on Red Hat Enterprise Linux 10 and Fedora 44, where the D-Bus broker exposes its socket on file descriptor number 5. Building and running, according to the README, is just make followed by ptrace_may_dream, with optional flags for the number of retries, the number of threads, and which file descriptor slot to target. The README closes with a joke quoting the kernel: the process is dead, long live the process. The repository has no separate license file mentioned and no other documentation.

prompts (copy fr)

prompt 1
Walk me through what ptrace_may_access does and why the race in CVE-2026-46333 matters
prompt 2
Show me how pidfd_getfd is used to steal a file descriptor in this PoC
prompt 3
Help me build the exploit on a Fedora 44 test VM and read the make output
prompt 4
Explain why FD 5 is the accounts-daemon D-Bus socket and how to verify that
prompt 5
Generate a kernel patch sketch that closes the ptrace_may_access race

Frequently asked questions

what is ptrace_may_dream fr?

A proof-of-concept exploit for CVE-2026-46333, a race in ptrace_may_access that lets a local user steal a file descriptor from accounts-daemon over D-Bus.

What language is ptrace_may_dream written in?

Mainly C. The stack also includes C, Linux, D-Bus.

How hard is ptrace_may_dream to set up?

Setup difficulty is rated hard, with roughly 1day+ to a first successful run.

Who is ptrace_may_dream for?

Mainly researcher.

peek the repo → explain another one

This repo across BitVibe Labs

double-check against the repo, no cap.