Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- Another day, another Linux bug.
- There is a patch out now.
- However, it’s not available yet in most distros.
Linux’s latest kernel flaw doesn’t have a fancy name; it’s just called “ssh‑keysign‑pwn.” It’s the fourth high‑profile local security hole to hit Linux in just a few weeks. This one enables ordinary users to quietly read some of the most sensitive files on a system, including Secure Shell (SSH) host private keys and the shadow password file.
The vulnerability gets its “ssh‑keysign‑pwn” nickname from one of the main exploitation paths: abusing OpenSSH’s ssh-keysign helper binary. Keysign -keysign is used for host‑based authentication and typically runs setuid root, opening the system’s SSH host keys before dropping privileges to complete its work.
Also: The third major Linux kernel flaw in two weeks has been found – thanks to AI
Just what we needed. Another annoying and potentially dangerous Linux bug.
The flaw explained
Security researchers at security company Qualys disclosed CVE‑2026‑46333, an information‑disclosure vulnerability in the Linux kernel’s ptrace access check. Qualys claims it has existed in one form or another for about six years.
The flaw sits in the __ptrace_may_access() logic that runs as processes exit. Under certain conditions, the kernel skips normal “dumpable” checks once a process has dropped its memory mapping. This opens a brief window for another process to steal its file descriptors.
While ssh‑keysign‑pwn doesn’t hand over a full root shell by itself, the ability to exfiltrate host keys and password hashes is a powerful building block for lateral movement and long‑term persistence. In addition, with stolen SSH host keys, attackers can impersonate machines in host‑based trust relationships. With access to the shadow password directory, they can attempt offline password cracking and reuse those credentials across systems.
Also: Linux is getting a security wake-up call – why it was inevitable, and I’m not worried
Just what we always needed. A persistent hack that can keep stealing keys and passwords.
In his patch, Linus Torvalds explained the problem exists because “We have one odd special case: ptrace_may_access() uses ‘dumpable’ to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It’s not what this flag was designed for, but it is what it is.”
What that means for you and me is that by combining this logic error with the pidfd_getfd(2) system call, unprivileged users can reach into privileged processes that are in the middle of shutting down, grab their still‑open file descriptors, and then read from files that would normally be accessible only to root.
That wouldn’t be a big deal except that Qualys has shown via a proof‑of‑concept (PoC) exploit that the bug can be triggered reliably in practice, not just in theory. The good news is the fix is in. Linux stable maintainer Greg Kroah‑Hartman has already rolled out updates across multiple supported branches, including new releases such as 7.0.8, 6.18.31, 6.12.89, 6.6.139, 6.1.173, 5.15.207, and 5.10.256, all of which carry the ssh‑keysign‑pwn fix.
What you need to do
You’ll want to move to one of these kernels ASAP. This hole affects all Linux kernels released before May 14, 2026. Otherwise, as one tired member of the Manjaro Linux team put it, “Don’t run your PC if you don’t need it. Lock yourself in and look over your shoulder.” Well, that’s certainly one way of dealing with it!
Also: How to learn Claude Code for free with Anthropic’s AI courses
Until patched kernels are widely available, security teams do have some mitigation options, but each comes with trade‑offs.
One quick and dirty workaround is to tighten Linux’s Yama ptrace restrictions by setting it with the command:
sysctl kernel.yama.ptrace_scope=2.
This disables ptrace for non‑root users and blocks the exploit, but it also breaks many debugging and monitoring workflows. This is not ideal for developer workflows.
You can also reduce exposure by disabling host‑based SSH authentication and the ssh-keysign helper entirely on systems where they are not needed. This removes a primary avenue for stealing host keys. However, this also stops SSH in its tracks, which for many Linux systems is a non-starter.
Me? I’m going to be monitoring my systems and hoping the distros I use every day — Linux Mint, Ubuntu, AlmaLinux, openSUSE, and Rocky Linux — get patched by the end of the weekend.