Long‑Latent Linux Kernel Flaw Enables SSH Key Theft

A critical Linux kernel local privilege escalation vulnerability dubbed ssh-keysign-pwn, disclosed May 14, 2026, has been traced to a commit dating back to at least 2020. The bug in __ptrace_may_access() can bypass dumpable checks when task->mm is NULL during process exit, letting an unprivileged local user with the same UID steal open file descriptors from privileged processes. Exploits can recover SSH host private keys and /etc/shadow hashes; proof‑of‑concepts target ssh-keysign and chage. Linus Torvalds issued patches and admins must apply kernel updates immediately. Researchers also used AI code review to help identify the subtle, long‑standing commit error.

Latest Changes

CVE-2026-46333 (ssh-keysign-pwn) disclosed May 14, 2026 affecting __ptrace_may_access()

Vulnerability traced to a commit present in mainline since at least 2020 and possibly longer

Exploits demonstrated recovering SSH host private keys and /etc/shadow hashes from privileged processes

Linus Torvalds issued patches; administrators urged to apply kernel updates immediately

Researchers used AI code review to help identify the subtle, long‑standing commit error

Timeline

2020-01-01 — Faulty commit introduced to Linux kernel affecting __ptrace_may_access(), later linked to exploitability

2026-05-14 — Qualys publicly discloses critical local privilege escalation named ssh-keysign-pwn (CVE-2026-46333)

2026-05-16 — Reports detail that exploits can recover SSH host keys and /etc/shadow hashes targeting ssh-keysign and chage

2026-05-20 — Technical writeups label the issue a logic bug in __ptrace_may_access() and analyze bypass of dumpable checks

2026-05-21 — Cyberkendra and Qualys highlight the vulnerability has existed in mainline for nearly nine years and reaffirm severity

Recent News (4)

3 周内第 4 个：又一 Linux 内核高危漏洞披露，潜伏近 9 年

Cyberkendra and Qualys TRU disclosed CVE-2026-46333, a high-severity Linux kernel vulnerability in __ptrace_may_access() that has existed in mainline for nearly nine years. Local low-privilege attackers can exploit a race during privileged processes' temporary drop in privileges, combined with pidfd_getfd(), to steal open file descriptors and execute commands as root. Qualys published PoCs targeting chage, ssh-keysign, pkexec and accounts-daemon and validated exploits on Debian 13, Ubuntu 24.04/26.04 and Fedora 43/44, including theft of SSH host private keys. Linus Torvalds committed the upstream fix (commit 31e62c2ebbfd) and major distributions — Debian, Fedora, Red Hat, SUSE, AlmaLinux, CloudLinux — have backported patches. The bug underscores urgent patching needs across Linux deployments.

NewsNow6h ago

Logic bug in the Linux kernel's __ptrace_may_access() function (CVE-2026-46333)

3pts

Lobsters17h ago

潜伏 6 年：Linux 内核曝高危漏洞，可窃取 SSH 主机密钥和 root 密码

Qualys disclosed on May 14, 2026 a critical Linux kernel local privilege escalation flaw named ssh-keysign-pwn that dates back at least to 2020. The bug in __ptrace_may_access() can skip dumpable checks when task->mm == NULL during a brief window as a process exits, allowing an unprivileged local user with the same UID to steal open file descriptors from high-privilege processes. Exploits can read SSH host private keys or /etc/shadow hashes; PoCs provided target ssh-keysign and chage. The issue affects all stable Linux kernels and distributions including Arch, Debian, Ubuntu, CentOS and Raspberry Pi OS. Linus Torvalds released patches on May 14; admins should apply kernel updates immediately to prevent key and credential theft.

Long‑Latent Linux Kernel Flaw Enables SSH Key Theft

Why It Matters

Latest Changes

Timeline

What to Watch

Recent News (4)