A newly disclosed Linux kernel vulnerability, dubbed “ssh-keysign-pwn” by Qualys researchers, exposes millions of Linux systems to unauthorized access to sensitive SSH private keys and hashed passwords stored in /etc/shadow.
Tracked as CVE-2026-46333 and GHSA-pm8f-4p6p-6×53, the flaw has existed undetected for approximately six years and was published to the National Vulnerability Database on May 15, 2026.
Linux “ssh-keysign-pwn” Flaw
At the heart of the issue is a race condition in the Linux kernel’s __ptrace_may_access() function, which controls whether one process can inspect or trace another. The vulnerability stems from flawed “dumpability” logic, a concept originally tied to whether a process can produce a core dump.
The problem occurs during the process exit sequence. When a privileged process, such as ssh-keysign or chage, begins shutting down via do_exit(), it calls exit_mm() first, which sets the memory pointer (mm) to NULL.
However, the process still keeps sensitive file descriptors (FDs) open until exit_files() runs moments later.
During this brief window, an unprivileged local attacker can exploit pidfd_getfd() to steal those open file descriptors before they are closed, according to Qualys’ disclosure on oss-security.
Because ptrace_may_access() evaluates dumpability even for threads with no active memory map, including kernel threads, attackers with standard user privileges can abuse this logic gap. The kernel fails to require the CAP_SYS_PTRACE capability in these edge cases, meaning no elevated privileges are required to exploit it.
The real-world impact is severe. By hijacking file descriptors from ssh-keysign, an attacker gains read access to the host’s SSH private keys. This enables impersonation attacks and man-in-the-middle (MitM) interception of SSH sessions until the compromised keys are rotated.
Additionally, the same race condition can expose /etc/shadow, the file that stores hashed user passwords, opening the door to offline password-cracking attacks against every account on the system.
A proof-of-concept (PoC) exploit has already been published publicly on GitHub at github.com/0xdeadbeefnetwork/ssh-keysign-pwn, significantly lowering the barrier for exploitation.
Affected Systems
All Linux kernels before commit 31e62c2ebbfd (merged May 14, 2026) are vulnerable. This impacts a wide range of major distributions, including Ubuntu, Debian, Arch Linux, CentOS, and Raspberry Pi OS, as reported by Clandestine in platform, X.
Any system running an unpatched kernel with privileged processes, such as OpenSSH utilities, is at risk.
The Linux kernel maintainers have released fixes across multiple stable branches, with patches available on the official kernel Git repository. System administrators should apply the kernel update immediately.
Until patching is possible, restricting local user access and auditing ptrace permissions via security policies can reduce exposure.
The fix introduces improved dumpability logic: threads without an active memory map now use a cached “last dumpability” value, and overriding this behavior requires explicit CAP_SYS_PTRACE capability, closing the race window that enabled exploitation.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
