Observe ZDNET: Add us as a most popular supply on Google.
ZDNET’s key takeaways
- One other day, one other Linux bug.
- There’s a patch out now.
- Nevertheless, it isn’t accessible but in most distros.
Linux’s newest kernel flaw does not have a elaborate identify; it is simply known as “ssh‑keysign‑pwn.” It is the fourth excessive‑profile native safety gap to hit Linux in just some weeks. This one allows atypical customers to quietly learn a number of the most delicate recordsdata on a system, together with Safe Shell (SSH) host personal keys and the shadow password file.
The vulnerability will get its “ssh‑keysign‑pwn” nickname from one of many fundamental exploitation paths: abusing OpenSSH’s ssh-keysign helper binary. Keysign -keysign is used for host‑primarily based authentication and usually runs setuid root, opening the system’s SSH host keys earlier than dropping privileges to finish its work.
Simply what we would have liked. One other annoying and probably harmful Linux bug.
The flaw defined
Safety researchers at safety firm Qualys disclosed CVE‑2026‑46333, an data‑disclosure vulnerability within the Linux kernel’s ptrace entry test. Qualys claims it has existed in a single kind or one other for about six years.
The flaw sits within the __ptrace_may_access() logic that runs as processes exit. Beneath sure situations, the kernel skips regular “dumpable” checks as soon as a course of has dropped its reminiscence mapping. This opens a quick window for an additional course of to steal its file descriptors.
Whereas ssh‑keysign‑pwn does not hand over a full root shell by itself, the power to exfiltrate host keys and password hashes is a strong constructing block for lateral motion and lengthy‑time period persistence. As well as, with stolen SSH host keys, attackers can impersonate machines in host‑primarily based belief relationships. With entry to the shadow password listing, they will try offline password cracking and reuse these credentials throughout techniques.
Simply what we at all times wanted. A persistent hack that may hold stealing keys and passwords.
In his patch, Linus Torvalds defined the issue exists as a result of “We’ve got one odd particular case: ptrace_may_access() makes use of ‘dumpable’ to test varied different issues solely independently of the MM (usually explicitly utilizing flags like PTRACE_MODE_READ_FSCREDS). Together with for threads that now not have a VM (and perhaps by no means did, like most kernel threads). It is not what this flag was designed for, however it’s what it’s.”
What which means for you and me is that by combining this logic error with the pidfd_getfd(2) system name, unprivileged customers can attain into privileged processes which are in the course of shutting down, seize their nonetheless‑open file descriptors, after which learn from recordsdata that will usually be accessible solely to root.
That would not be a giant deal besides that Qualys has proven through a proof‑of‑idea (PoC) exploit that the bug may be triggered reliably in follow, not simply in concept. The excellent news is the repair is in. Linux steady maintainer Greg Kroah‑Hartman has already rolled out updates throughout a number of supported branches, together with new releases similar to 7.0.8, 6.18.31, 6.12.89, 6.6.139, 6.1.173, 5.15.207, and 5.10.256, all of which carry the ssh‑keysign‑pwn repair.
What you’ll want to do
You will need to transfer to one among these kernels ASAP. This gap impacts all Linux kernels launched earlier than Might 14, 2026. In any other case, as one drained member of the Manjaro Linux workforce put it, “Do not run your PC should you do not want it. Lock your self in and look over your shoulder.” Effectively, that is definitely a technique of coping with it!
Till patched kernels are extensively accessible, safety groups do have some mitigation choices, however every comes with commerce‑offs.
One fast and soiled workaround is to tighten Linux’s Yama ptrace restrictions by setting it with the command:
sysctl kernel.yama.ptrace_scope=2.
This disables ptrace for non‑root customers and blocks the exploit, however it additionally breaks many debugging and monitoring workflows. This isn’t superb for developer workflows.
You may as well scale back publicity by disabling host‑primarily based SSH authentication and the ssh-keysign helper solely on techniques the place they aren’t wanted. This removes a major avenue for stealing host keys. Nevertheless, this additionally stops SSH in its tracks, which for a lot of Linux techniques is a non-starter.
Me? I’ll be monitoring my techniques and hoping the distros I exploit each day — Linux Mint, Ubuntu, AlmaLinux, openSUSE, and Rocky Linux — get patched by the top of the weekend.
