The 4th Linux kernel flaw this month can lead to stolen SSH host keys
Summary
A new Linux kernel vulnerability, dubbed "ssh-keysign-pwn" (CVE-2026-46333), allows unprivileged users to read sensitive system files, including SSH host private keys and the shadow password file. Disclosed by Qualys, this information-disclosure flaw has existed for approximately six years within the `__ptrace_may_access()` logic. It exploits a brief window during process exit when the kernel skips "dumpable" checks, enabling a malicious process to steal file descriptors from privileged processes. While not providing a root shell directly, the ability to exfiltrate host keys and password hashes facilitates lateral movement and persistence. Linus Torvalds has issued a patch (commit `31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a`), and updates are available in kernel versions 7.0.8, 6.18.31, 6.12.89, 6.6.139, 6.1.173, 5.15.207, and 5.10.256, affecting all kernels released before May 14, 2026.
Key takeaway
For CTOs and VP of Engineering overseeing Linux environments, prioritize immediate kernel updates to versions 7.0.8 or newer to mitigate CVE-2026-46333. If immediate patching isn't feasible, consider temporary mitigations like setting `sysctl kernel.yama.ptrace_scope=2` or disabling host-based SSH authentication, understanding their impact on debugging and system functionality. Your teams should monitor distro updates closely and prepare for rapid deployment to prevent sensitive data exfiltration.
Key insights
A long-standing Linux kernel flaw allows unprivileged users to steal sensitive data via `ptrace` during process shutdown.
Principles
- Kernel logic errors can create brief, exploitable windows.
- Information disclosure can be a powerful building block for attacks.
Method
The vulnerability combines a `__ptrace_may_access()` logic error with the `pidfd_getfd(2)` system call to grab file descriptors from privileged processes as they shut down, enabling unauthorized file access.
In practice
- Update Linux kernels to patched versions immediately.
- Set `kernel.yama.ptrace_scope=2` as a temporary mitigation.
- Disable host-based SSH authentication if not essential.
Topics
- Linux Kernel Vulnerability
- CVE-2026-46333
- SSH Host Keys
- ptrace Access Check
- Information Disclosure
Code references
Best for: CTO, VP of Engineering/Data, Security Engineer, DevOps Engineer, IT Professional
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by News and Advice on the World's Latest Innovations | ZDNET.