By rssfeeds-admin 
Tracked as CVE-2026-46333, the flaw has been nicknamed “ssh-keysign-pwn” and impacts a wide range of Linux distributions.
Linux system hit with multiple vulnerabilities in 2026, including Dirty Pipe, io_uring UAF, Copy Fail, io_uring ZCRX Freelist, Dirty Frag, and Fragnesia.
Linux Kernel Vulnerability “ssh-keysign-pwn”
The issue originates in the Linux kernel’s ptrace access control logic, specifically within the __ptrace_may_access() function.
This mechanism is supposed to restrict how processes can inspect or interact with other processes. However, a logic flaw tied to the kernel’s “dumpability” checks creates a dangerous race condition.
In simple terms, when a privileged process (such as ssh-keysign or chage) is shutting down, there is a short window where its memory context is cleared (mm = NULL) but its open file descriptors still exist. During this gap, an unprivileged local attacker can exploit the flaw using pidfd_getfd() to steal those file descriptors.
This effectively bypasses intended permission checks, allowing unauthorized access to sensitive files.
Security researchers, including Qualys, warn that this vulnerability can lead to severe consequences:
- Theft of SSH private keys enables attackers to impersonate systems or users.
- Man-in-the-middle (MitM) attacks until compromised keys are rotated.
- Full read access to /etc/shadow, exposing password hashes for offline cracking.
- Potential lateral movement across infrastructure using stolen credentials.
Because SSH keys are often reused across environments, a single compromised system can cascade into broader network access.
Affected Systems
The vulnerability affects most Linux distributions running kernels before the patch released on May 14, 2026. This includes:
- Ubuntu
- Debian
- Arch Linux
- CentOS
- Raspberry Pi OS
Given that the flaw has reportedly existed for over six years, many long-term deployments may be exposed.
The core issue lies in how the kernel handles processes without a memory context. The “dumpability” flag, originally designed to control core dumps, is reused in ptrace checks, even when it no longer makes logical sense.
When a process exits, its memory is released before its file descriptors are cleaned up. The kernel fails to properly enforce access restrictions during this transitional state, allowing attackers to bypass security boundaries.
The GitHub PoC ssh-keysign-pwn demonstrates exactly how to weaponize this race condition on pre‑31e62c2ebbfd kernels.
The PoC repeatedly spawns attack processes that race against a privileged helper’s exit path, using pidfd_getfd to grab file descriptors to root‑owned files before they are closed.
According to public analysis, the exploit typically succeeds within 100–2000 attempts, making it practical on real systems.
Two core exploitation paths are highlighted:
- Targeting
ssh-keysignto read SSH host private keys from/etc/ssh/ssh_host_{ecdsa,ed25519,rsa}_key - Targeting
chage -l <user>to read/etc/shadowvia a similar file‑descriptor theft pattern
Mitigations
Organizations should act immediately to reduce risk:
- Apply the latest kernel patches that fix CVE-2026-46333.
- Rotate all SSH keys, especially on critical systems.
- Audit access to sensitive files, such as /etc/shadow.
- Monitor for suspicious use of ptrace or pidfd-related system calls.
- Restrict local user access where possible, as exploitation requires local presence.
As a public proof-of-concept (PoC) exploit has already been released on GitHub, it increases the likelihood of active exploitation in the wild. This significantly raises the urgency for patching.
With SSH serving as the backbone of secure access across cloud and enterprise environments, the exposure of private keys poses a high-impact risk that cannot be ignored.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post Critical Linux Kernel Flaw ‘ssh-keysign-pwn’ Exposes SSH Keys and Shadow Passwords appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.