CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 16, 2026

Critical Linux Kernel Flaw ‘ssh-keysign-pwn’ Exposes SSH Keys and Shadow Passwords

Cybersecurity News Archived May 16, 2026 ✓ Full text saved

A newly disclosed Linux kernel vulnerability is raising serious concerns across the security community, as it allows attackers to access highly sensitive data, including SSH private keys and password hashes, on affected systems. Tracked as CVE-2026-46333, the flaw has been nicknamed “ssh-keysign-pwn” and impacts a wide range of Linux distributions. Linux system hit with multiple vulnerabilities in 2026, […] The post Critical Linux Kernel Flaw ‘ssh-keysign-pwn’ Exposes SSH Keys and Shadow Passwor

Full text archived locally
✦ AI Summary · Claude Sonnet


    Discover more mobile Cybersecurity training courses Hacking & Cracking HomeCyber Security News Critical Linux Kernel Flaw ‘ssh-keysign-pwn’ Exposes SSH Keys and Shadow Passwords By Dhivya May 16, 2026 A newly disclosed Linux kernel vulnerability is raising serious concerns across the security community, as it allows attackers to access highly sensitive data, including SSH private keys and password hashes, on affected systems. Tracked as CVE-2026-46333, the flaw has been nicknamed “ssh-keysign-pwn” and impacts a wide range of Linux distributions. Linux system hit with multiple vulnerabilities in 2026, including Dirty Pipe, io_uring UAF, Copy Fail, io_uring ZCRX Freelist, Dirty Frag, and Fragnesia. Linux Kernel Vulnerability “ssh-keysign-pwn” The issue originates in the Linux kernel’s ptrace access control logic, specifically within the __ptrace_may_access() function. This mechanism is supposed to restrict how processes can inspect or interact with other processes. However, a logic flaw tied to the kernel’s “dumpability” checks creates a dangerous race condition. In simple terms, when a privileged process (such as ssh-keysign or chage) is shutting down, there is a short window where its memory context is cleared (mm = NULL) but its open file descriptors still exist. During this gap, an unprivileged local attacker can exploit the flaw using pidfd_getfd() to steal those file descriptors. This effectively bypasses intended permission checks, allowing unauthorized access to sensitive files. Security researchers, including Qualys, warn that this vulnerability can lead to severe consequences: Theft of SSH private keys enables attackers to impersonate systems or users. Man-in-the-middle (MitM) attacks until compromised keys are rotated. Full read access to /etc/shadow, exposing password hashes for offline cracking. Potential lateral movement across infrastructure using stolen credentials. Because SSH keys are often reused across environments, a single compromised system can cascade into broader network access. Affected Systems The vulnerability affects most Linux distributions running kernels before the patch released on May 14, 2026. This includes: Ubuntu Debian Arch Linux CentOS Raspberry Pi OS Given that the flaw has reportedly existed for over six years, many long-term deployments may be exposed. The core issue lies in how the kernel handles processes without a memory context. The “dumpability” flag, originally designed to control core dumps, is reused in ptrace checks, even when it no longer makes logical sense. When a process exits, its memory is released before its file descriptors are cleaned up. The kernel fails to properly enforce access restrictions during this transitional state, allowing attackers to bypass security boundaries. The GitHub PoC ssh-keysign-pwn demonstrates exactly how to weaponize this race condition on pre‑31e62c2ebbfd kernels. The PoC repeatedly spawns attack processes that race against a privileged helper’s exit path, using pidfd_getfd to grab file descriptors to root‑owned files before they are closed. According to public analysis, the exploit typically succeeds within 100–2000 attempts, making it practical on real systems. Two core exploitation paths are highlighted: Targeting ssh-keysign to read SSH host private keys from /etc/ssh/ssh_host_{ecdsa,ed25519,rsa}_key Targeting chage -l <user> to read /etc/shadow via a similar file‑descriptor theft pattern Mitigations Organizations should act immediately to reduce risk: Apply the latest kernel patches that fix CVE-2026-46333. Rotate all SSH keys, especially on critical systems. Audit access to sensitive files, such as /etc/shadow. Monitor for suspicious use of ptrace or pidfd-related system calls. Restrict local user access where possible, as exploitation requires local presence. As a public proof-of-concept (PoC) exploit has already been released on GitHub, it increases the likelihood of active exploitation in the wild. This significantly raises the urgency for patching. With SSH serving as the backbone of secure access across cloud and enterprise environments, the exposure of private keys poses a high-impact risk that cannot be ignored. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Dhivyahttps://cybersecuritynews.com/ Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world. Trending News macOS Malware Leverages Google Ads and Legitimate Claude.ai Shared Chats to Deliver Malware Sandworm Hackers Pivot From Compromised IT Systems Toward Critical OT Assets Google reCAPTCHA Update Blocks Privacy-Focused Android Users From Sites Ivanti Patches Multiple Vulnerabilities in Secure Access, Xtraction, vTM and Endpoint Manager Hackers Use OrBit Rootkit to Harvest SSH and Sudo Credentials From Linux Systems Latest News Cyber Security News JDownloader Website Compromised to Distribute Malicious Windows and Linux Installers Cyber Security News Malicious JPEG Images Could Trigger PHP Memory Safety Vulnerabilities Cyber Security News Google Project Zero Discloses Zero-Click Exploit Chain for Pixel 10 Devices Android Android 16 VPN Bypass Lets Malicious Apps Reveal Users Real IP Address Cyber Security News Gunra Ransomware Expands RaaS Operations After Shifting From Conti-Based Locker
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 16, 2026
    Archived
    May 16, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗