Follow ZDNET: Add us as a favorite resource on Google.
Highlights taken by ZDNET
- Another day, another Linux bug.
- There is an episode now.
- However, it is not yet available in most distros.
The latest Linux kernel bug doesn’t have a good name; it’s just called “ssh-keysign-pwn.” It’s the fourth high-profile local security hole to hit Linux in just a few weeks. This enables normal users to silently read some of the most sensitive files in the system, including the Secure Shell (SSH) host keys and the shadow password file.
The vulnerability gets the “ssh‑keysign‑pwn” alias from one of the main exploits: exploiting the OpenSSH key helper binary for ssh. Keysign -keysign is used for host-based authentication and usually using setuid root, unlocks the SSH system host’s keys before relinquishing privileges to complete its work.
Also: Third major Linux kernel bug in two weeks found – thanks to AI
We just needed you. Another annoying and potentially dangerous Linux bug.
It explained the error
Security researchers at security firm Qualys have disclosed CVE-2026-46333, an information disclosure vulnerability in Linux kernel access testing. Qualys says it has been around for six years in one form or another.
The error is always __ptrace_may_access() logic that works as an exit procedure. Under certain circumstances, the kernel skips the normal “overrun” check once a process has dumped its memory map. This opens a brief window for another process to steal its file descriptors.
Although ssh-keysign‑pwn does not provide a full root shell on its own, the ability to extract host keys and password hashes is a powerful feature for lateral movement and long-term persistence. In addition, with stolen SSH host keys, attackers can create machines in host-based trust relationships. By accessing the shadow password directory, they can attempt to compromise the password offline and reuse those credentials across systems.
Also: Linux is getting a wake-up call – why was it inevitable, and I’m not worried
Just what we always needed. A persistent hack that can eventually steal keys and passwords.
In his piece, Linus Torvalds explained that the problem exists because “We have one unusual case: ptrace_may_access() uses ‘dumpable’ to check various things other than MM (usually explicitly using flags like PTRACE_MODE_READ_FSCREDS). It also includes threads that may not have a VM like VM. built for it, but that’s what it is.”
What that means to me is that by combining this logic error with the pidfd_getfd(2) system call, unprivileged users can access privileged processes in between shutdowns, grab open file descriptors, and read from files that would normally only be accessible by root.
That won’t be a big deal unless Qualys has demonstrated through a proof of concept (PoC) that the bug can be reliably deployed in practice, not just in theory. The good news is that a fix is available. Linux stable maintainer Greg Kroah‑Hartman has already released updates to all supported branches, including new releases such as 7.0.8, 6.18.31, 6.12.89, 6.6.139, 6.1.173, 5.15.5.207, and 5 all. ssh-keysign-pwn configuration.
What you have to do
You will want to go to one of these letters ASAP. This hole affects all Linux kernels released before May 14, 2026. Otherwise, as one jaded member of the Manjaro Linux team put it, “Don’t use your PC if you don’t need to. Lock it up and look over your shoulder.” Well, that’s one way to deal with it!
Also: How to learn Claude Code for free with Anthropic AI courses
Until patched characters become widely available, security teams have some mitigation options, but each comes with a trade-off.
One quick and dirty way to enforce Yama ptrace limits for Linux is by setting it with the command:
sysctl kernel.yama.ptrace_scope=2.
This disables ptrace for non-root users and prevents exploits, but also breaks most debugging and monitoring workflows. This is not ideal for a developer’s workflow.
You can also reduce exposure by disabling host-based SSH authentication and the ssh key helper entirely on systems where they are not needed. This eliminates the main method of stealing the host’s keys. However, this also stops SSH in its tracks, which on most Linux systems is a non-starter.
Me? I’ll be monitoring my systems and hopefully the distros I use every day — Linux Mint, Ubuntu, AlmaLinux, openSUSE, and Rocky Linux — will be patched by the end of the weekend.
