ssh-keysign-pwn: A Six-Year-Old Linux Kernel Flaw Lets Unprivileged Users Read Root-Owned Files
ssh-keysign-pwn: A Six-Year-Old Linux Kernel Flaw Lets Unprivileged Users Read Root-Owned Files
- Linux Kernel Removes strncpy After Six Years and 362 Patches
- Linux Kernel Drops 40-Year-Old AppleTalk Protocol — AI-Generated Patch Flood Was the Last Straw
- Apple’s Native Linux Container Tool Has Arrived — But Can It Really Replace Docker?
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
ssh-keysign-pwn: A Six-Year-Old Linux Kernel Flaw Lets Unprivileged Users Read Root-Owned Files
Qualys researchers have disclosed CVE-2026-46333, a logic bug in the Linux kernel’s ptrace subsystem that allows any local user to silently steal SSH host private keys and password hashes — marking the fourth major Linux kernel security incident in three weeks.
All Linux kernels released before May 14, 2026 are affected. Patched stable kernels are now available. Apply the sysctl mitigation immediately if you cannot reboot to an updated kernel.
Overview
Researchers at Qualys have publicly disclosed a serious information-disclosure vulnerability in the Linux kernel, tracked as CVE-2026-46333 and named ssh-keysign-pwn after one of its two public proof-of-concept exploits. The flaw enables an unprivileged local user to read files that should be accessible only to root — most critically, SSH host private keys stored in /etc/ssh/ and password hashes in /etc/shadow.
The underlying bug has existed in the kernel for approximately six years. A nearly identical patch was drafted by Google security researcher Jann Horn in 2020, but it was never merged upstream. Qualys independently rediscovered the issue in 2026, and Linus Torvalds committed the fix on May 14, 2026 (commit 31e62c2ebbfd), the same day the advisory went public.
“ptrace_may_access() uses ‘dumpable’ to check various other things entirely independently of the MM — including for threads that no longer have a VM, and maybe never did, like most kernel threads. It’s not what this flag was designed for, but it is what it is.” — Linus Torvalds, commit 31e62c2ebbfd
The Vulnerability Explained
The bug lives in __ptrace_may_access(), the kernel function that gates whether one process may inspect another. When a process exits, the kernel’s do_exit() function runs exit_mm() — releasing the process’s memory descriptor — before it runs exit_files(), which closes open file descriptors.
In that narrow window, the target process has task->mm == NULL but still holds its open file descriptors. Critically, when mm is NULL, __ptrace_may_access() skips its normal “dumpable” permission check. An unprivileged attacker who shares the same UID as the dying process can call pidfd_getfd(2) during this window and steal the open file descriptor — including descriptors pointing at root-owned files the privileged binary had opened before dropping privileges.
Two privileged binaries are the primary attack targets: ssh-keysign, a setuid-root OpenSSH helper that opens SSH host private key files during host-based authentication, and chage, a setuid utility that opens /etc/shadow to manage password aging. The exploits race against the normal exit of these programs — no unusual configuration on the privileged side is required.
What an Attacker Can Do
This vulnerability is classified as information disclosure, not direct privilege escalation. An attacker does not gain a root shell immediately. However, the data that can be exfiltrated is highly sensitive:
SSH host private keys can be used to impersonate the affected server in man-in-the-middle attacks against clients that trust host-based authentication. Any machine that has a trust relationship with the compromised server is put at risk. Password hashes from /etc/shadow can be subjected to offline cracking, and cracked credentials may be reused across other systems in the environment.
Working proof-of-concept code — sshkeysign_pwn and chage_pwn — was published publicly by the researcher “_SiCk” hours after the advisory, and has been confirmed to work on Debian, Ubuntu, Arch Linux, CentOS, and Raspberry Pi OS.
Timeline
mm == NULL dumpable-check issue. The patch is never merged upstream.31e62c2ebbfd the same day. Public PoC exploits released by “_SiCk.”Who Is Affected
All Linux kernels released before May 14, 2026 are affected. The exploit depends on the pidfd_getfd(2) system call, which was introduced in kernel 5.6. Systems running older kernels (such as CloudLinux 7h and CloudLinux 8 on 4.18) are not exploitable by the current public proof-of-concept, although the underlying race condition is still present.
The vulnerability has been confirmed on mainstream distributions including Debian, Ubuntu, Arch Linux, CentOS, and Raspberry Pi OS. Any multi-user Linux system — particularly servers accessible to non-administrative accounts — should be considered at risk.
Mitigation and Remediation
Update to a patched kernel (7.0.8, 6.18.31, 6.12.89, 6.6.139, 6.1.173, 5.15.207, or 5.10.256) and reboot. Until then, apply the sysctl workaround below.
Immediate sysctl workaround — tightening the Linux Yama ptrace scope blocks all known public exploits, because they rely on pidfd_getfd(2)‘s access check routing through __ptrace_may_access():
Setting ptrace_scope=3 disables ptrace attach entirely. If your environment requires ptrace for debugging (e.g., gdb -p, strace -p), use ptrace_scope=2 instead, which restricts attach to administrators while still blocking the known exploits. This is a workaround — it is not a fix, and other paths to the same bug may exist.
Most effective. Update to a patched stable kernel and reboot. KernelCare users on supported CloudLinux versions can receive a live patch without rebooting.
Set ptrace_scope to 2 or 3. Blocks all known PoCs. May break non-root debugger workflows. Apply as defense-in-depth even after patching.
Remove the SUID bit from /usr/libexec/openssh/ssh-keysign and /usr/bin/chage. Covers known PoC targets only; does not address the underlying bug class.
Caged tenants cannot reach the SUID target binaries. Effective for hosted users; does not protect host root or non-caged administrative accounts.
Note: the sysctl workaround for ssh-keysign-pwn is separate from mitigations applied for Copy Fail, Dirty Frag, and Fragnesia. Those earlier mitigations (module blacklists, page cache drops) do not protect against CVE-2026-46333.
A Note on Scope
Disabling host-based SSH authentication removes the ssh-keysign attack vector specifically, but has no effect on the broader bug. Standard SSH connections using public-key or password authentication are unaffected by disabling host-based auth — contrary to some early reports, turning off ssh-keysign does not “halt SSH connections altogether.”
Context: A Difficult Month for the Linux Kernel
CVE-2026-46333 is the fourth significant local security issue requiring attention in under three weeks. Copy Fail, Dirty Frag, and Fragnesia all belong to a different bug class — they write attacker-controlled bytes into the kernel page cache to modify privileged binaries in memory. ssh-keysign-pwn is structurally distinct: it involves no writes, no page cache manipulation, and no kernel module loading. The mitigations for the earlier three vulnerabilities provide no protection here.
Security researchers have noted that the accelerating pace of disclosure appears partly driven by AI-assisted code auditing tools surfacing long-dormant bugs. Several of May 2026’s disclosures, including this one, trace back to patch proposals or analyses that were written years ago but never acted upon.
