ssh-keysign-pwn Linux – A newly disclosed Linux kernel flaw, dubbed “ssh‑keysign‑pwn” (CVE‑2026‑46333), can be exploited by unprivileged users to read sensitive files—including SSH host private keys and the shadow password file—by abusing OpenSSH’s ssh-keysign helper. Patches are ava
The warning came fast: another Linux security hole is already patched, but many systems still haven’t updated. This time, the risk is unusually direct—attackers may be able to steal SSH host private keys and password hashes without needing a root shell first.
Linux researchers and security firms are pointing to a vulnerability tracked as CVE‑2026‑46333. which Qualys says has existed in some form for about six years.. Dubbed “ssh‑keysign‑pwn. ” it targets an information-disclosure weakness inside the kernel’s ptrace access checks. leaving a narrow window where a process’s still-open file descriptors can be grabbed and sensitive files accessed.
Qualys’ central claim is that the flaw lives in the kernel’s __ptrace_may_access() logic that runs as processes exit.. Under certain conditions, Linux skips the usual “dumpable” checks after a process has dropped its memory mapping.. In that moment, another process can steal file descriptors that it normally shouldn’t be able to reach.
The nickname “ssh‑keysign‑pwn” comes from a key exploitation path: abusing OpenSSH’s ssh-keysign helper binary.. The ssh-keysign binary is typically setuid root for host-based authentication. and it opens SSH host keys before dropping privileges to finish its work.. The result. as security researchers describe it. is that ordinary users may be able to quietly exfiltrate high-value secrets from the system.
Taken by itself, the bug doesn’t hand over a full root shell.. But it can act as a building block for lateral movement and long-term persistence.. With stolen SSH host keys, attackers can potentially impersonate machines in host-based trust relationships.. And by accessing the shadow password directory, they can attempt offline password cracking and reuse credentials across systems.
Linux kernel maintainer Linus Torvalds has also weighed in on why the flaw exists. describing the problematic logic as an “odd special case.” In his explanation. he said ptrace_may_access() uses the “dumpable” flag for checks that are independent of the memory-management logic it was meant to support—particularly for threads that no longer have a VM.. “It’s not what this flag was designed for, but it is what it is,” Torvalds wrote.
What makes the issue urgent is that Qualys demonstrated a proof-of-concept exploit that can be triggered reliably in practice.. The exploit path combines the logic error with the pidfd_getfd(2) system call. allowing unprivileged users to reach into privileged processes that are shutting down. grab their still-open file descriptors. and then read from files that would normally be limited to root.
The patch situation is improving, but the clock is ticking for users who haven’t updated.. Linux stable maintainer Greg Kroah‑Hartman has already rolled out fixes across multiple supported branches, including new releases: 7.0.8, 6.18.31, 6.12.89, 6.6.139, 6.1.173, 5.15.207, and 5.10.256.. These releases carry the ssh‑keysign‑pwn fix.
As for exposure, the flaw affects Linux kernels released before May 14, 2026. Until patches land widely in the distributions people rely on day to day, security teams have been discussing mitigations that come with trade-offs.
One quick workaround is tightening Linux’s Yama ptrace restrictions by setting:
sysctl kernel.yama.ptrace_scope=2
Qualys and other security guidance note that this can block the exploit by disabling ptrace for non-root users, but it can also disrupt debugging and monitoring workflows—particularly for developer teams.
Another mitigation is to reduce exposure by disabling host-based SSH authentication and the ssh-keysign helper when they aren’t needed. Researchers say that removes a primary avenue for stealing host keys, but it also stops SSH in a way that many Linux systems may not be able to accept.
For now, the message from defenders is simple: update as soon as your distro provides the patched kernel. Without it, the combination of ptrace logic, process-exit timing, and file-descriptor theft gives an attacker a quiet route to secrets that matter.
Linux kernel vulnerability CVE-2026-46333 ssh-keysign-pwn OpenSSH SSH host keys ptrace pidfd_getfd cybersecurity