Key Takeaways
- A critical Linux kernel race‑condition (CVE‑2026‑46333, “ssh‑keysign‑pwn”) lets unprivileged local attackers steal SSH private keys and password hashes.
- The flaw resides in the ptrace access‑control logic (__ptrace_may_access) and is triggered when privileged processes exit, creating a brief window where memory is cleared but file descriptors remain open.
- Exploitability is demonstrated by a public GitHub PoC; success typically occurs within 100‑2000 attempts, making it practical on real systems.
- Affected distributions include Ubuntu, Debian, Arch Linux, CentOS, Raspberry Pi OS, and essentially any system running a kernel patched before May 14 2026.
- Immediate mitigation requires applying the latest kernel patch, rotating SSH keys, auditing /etc/shadow access, and monitoring for suspicious ptrace or pidfd usage.
Overview of the Vulnerability
The newly disclosed Linux kernel vulnerability, tracked as CVE‑2026‑46333 and nicknamed “ssh‑keysign‑pwn,” exposes a race condition in the kernel’s ptrace access‑control mechanism. By exploiting a timing gap during the shutdown of privileged processes such as ssh‑keysign or chage, an attacker with local access can obtain file descriptors to sensitive files that should remain protected. This permits unauthorized reading of SSH private keys stored in /etc/ssh and password hashes from /etc/shadow, leading to credential theft, man‑in‑the‑middle attacks, and potential lateral movement across networked infrastructure.
Root Cause in Ptrace Logic
At the heart of the issue lies the __ptrace_may_access() function, which governs whether one process may inspect another. The function relies on the process’s “dumpability” flag—a field originally intended to control core‑dump generation—to decide access permissions. When a privileged process terminates, its memory descriptor (mm) is set to NULL before its open file descriptors are closed. During this short interval, the dumpability check incorrectly permits ptrace operations, allowing an unprivileged caller to invoke pidfd_getfd() and hijack those lingering file descriptors.
Exploitation Mechanics
Attackers leverage the race by repeatedly spawning child processes that race against the exiting privileged helper’s cleanup path. Each attempt calls pidfd_getfd() on the target’s file descriptor table, aiming to capture descriptors for root‑owned files such as SSH host keys or the shadow password file. Because the window persists for only a few microseconds, success is probabilistic; however, empirical testing shows the exploit typically succeeds after 100‑2000 attempts, a feasible number on a live system given the low overhead of the involved syscalls.
Proof‑of‑Concept Demonstration
A public proof‑of‑concept (PoC) exploit named ssh‑keysign‑pwn has been released on GitHub. The PoC automates the race condition, launching numerous attack processes that repeatedly invoke pidfd_getfd() against ssh‑keysign or chage instances as they shut down. On kernels prior to commit 31e62c2ebbfd (the fix), the PoC reliably extracts SSH host private keys from /etc/ssh/sshhost{ecdsa,ed25519,rsa}_key and password hashes from /etc/shadow, confirming the practicality of the attack.
Two Primary Attack Vectors
Security analysis highlights two distinct exploitation paths enabled by the same underlying flaw. The first targets the ssh‑keysign binary, which runs with elevated privileges to manage SSH host keys; by stealing its file descriptors, an attacker can read the private keys used for host authentication. The second vector aims at the chage -l command, which also runs privileged to query password‑aging information; hijacking its descriptors yields direct access to /etc/shadow, exposing encrypted password hashes that can be cracked offline. Both paths require only local user access, but the impact escalates quickly when keys are reused across multiple systems.
Impact on Affected Systems
The vulnerability affects virtually all mainstream Linux distributions running kernels released before the patch issued on May 14 2026. This includes Ubuntu, Debian, Arch Linux, CentOS, Raspberry Pi OS, and many derivative systems. Because the flaw has reportedly existed for over six years, numerous long‑term deployments—especially servers and embedded devices that rarely receive kernel updates—remain exposed. The reuse of SSH keys across environments amplifies the risk: compromising a single host can provide attackers with credentials to pivot throughout an organization’s infrastructure.
Mitigation and Response Recommendations
Organizations should prioritize applying the latest kernel updates that address CVE‑2026‑46333. In parallel, rotating all SSH keys—particularly those used for privileged access or service‑to‑service authentication—is essential to limit the window of usefulness for any stolen keys. Auditing access to /etc/shadow and monitoring for anomalous ptrace or pidfd_getfd() system calls can help detect ongoing exploitation attempts. Where feasible, restricting local user accounts and enforcing least‑privilege principles reduces the attack surface, as the exploit requires local code execution.
Urgency Driven by Public Exploit
The availability of a functional PoC on GitHub markedly increases the likelihood of active exploitation in the wild. Security teams must treat this vulnerability as high‑severity, given SSH’s role as the cornerstone of secure remote administration in cloud, data‑center, and enterprise settings. Failure to patch promptly could result in widespread credential theft, facilitating persistent unauthorized access and potentially costly data breaches. Timely patching, credential rotation, and vigilant monitoring constitute the critical defense-in-depth strategy needed to mitigate the ssh‑keysign‑pwn threat.