Key Takeaways from ZDNET
- A new Linux vulnerability has been identified.
- A patch is now available.
- However, it is not yet distributed across most distributions.
The latest flaw in the Linux kernel is dubbed “ssh‑keysign‑pwn.” This marks the fourth significant local security issue with Linux in just a few weeks. The vulnerability allows standard users to access sensitive files, including Secure Shell (SSH) host private keys and the shadow password directory.
The name “ssh‑keysign‑pwn” stems from one of the primary methods of exploitation, which involves abusing OpenSSH’s ssh-keysign helper binary. This binary is used for host-based authentication and typically runs with elevated privileges, exposing the system’s SSH host keys briefly before relinquishing those privileges.
According to researchers from Qualys, the newly revealed CVE‑2026‑46333 is an information-disclosure vulnerability related to the Linux kernel’s ptrace access validation, existing in some capacity for roughly six years.
The vulnerability lies in the __ptrace_may_access() logic, which could allow unauthorized processes to steal file descriptors during the shutdown phase of another process. While this flaw does not provide root access, it enables extraction of host keys and password hashes, facilitating lateral movements and long-term access for attackers.
Linus Torvalds, in his patch, noted the issue arose because of an unusual case where ptrace_may_access() utilizes “dumpable” checks inappropriately for processes closing down. This allows unprivileged users to access privileged processes and read files normally reserved for root.
Recommended Actions
It’s crucial to upgrade to patched Linux kernels immediately, as this vulnerability affects all kernels released before May 14, 2026. Until patches are widely available, there are some mitigations, though each comes with drawbacks. One workaround is tightening Linux’s Yama ptrace restrictions by executing the command:
sysctl kernel.yama.ptrace_scope=2
This disables ptrace for non-root users, effectively blocking the exploit, but it may disrupt essential debugging processes. An alternative is disabling host-based SSH authentication where unnecessary, but that approach could halt SSH functionalities on many systems.
Personally, I will keep an eye on my systems, hoping that the distributions I rely on—Linux Mint, Ubuntu, AlmaLinux, openSUSE, and Rocky Linux—receive the necessary patches soon.
