The 4th Linux kernel flaw this month can lead to stolen SSH host keys

· Source: News and Advice on the World's Latest Innovations | ZDNET · Field: Technology & Digital — Cybersecurity & Data Privacy, Software Development & Engineering, Cloud Computing & IT Infrastructure · Depth: Advanced, short

Summary

A new Linux kernel vulnerability, dubbed "ssh-keysign-pwn" (CVE-2026-46333), allows unprivileged users to read sensitive system files, including SSH host private keys and the shadow password file. Disclosed by Qualys, this information-disclosure flaw has existed for approximately six years within the `__ptrace_may_access()` logic. It exploits a brief window during process exit when the kernel skips "dumpable" checks, enabling a malicious process to steal file descriptors from privileged processes. While not providing a root shell directly, the ability to exfiltrate host keys and password hashes facilitates lateral movement and persistence. Linus Torvalds has issued a patch (commit `31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a`), and updates are available in kernel versions 7.0.8, 6.18.31, 6.12.89, 6.6.139, 6.1.173, 5.15.207, and 5.10.256, affecting all kernels released before May 14, 2026.

Key takeaway

For CTOs and VP of Engineering overseeing Linux environments, prioritize immediate kernel updates to versions 7.0.8 or newer to mitigate CVE-2026-46333. If immediate patching isn't feasible, consider temporary mitigations like setting `sysctl kernel.yama.ptrace_scope=2` or disabling host-based SSH authentication, understanding their impact on debugging and system functionality. Your teams should monitor distro updates closely and prepare for rapid deployment to prevent sensitive data exfiltration.

Key insights

A long-standing Linux kernel flaw allows unprivileged users to steal sensitive data via `ptrace` during process shutdown.

Principles

Method

The vulnerability combines a `__ptrace_may_access()` logic error with the `pidfd_getfd(2)` system call to grab file descriptors from privileged processes as they shut down, enabling unauthorized file access.

In practice

Topics

Code references

Best for: CTO, VP of Engineering/Data, Security Engineer, DevOps Engineer, IT Professional

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by News and Advice on the World's Latest Innovations | ZDNET.