Critical Linux Kernel Flaw ‘ssh-keysign-pwn’ Exposes SSH Keys and Shadow Passwords
Cybersecurity NewsArchived May 16, 2026✓ Full text saved
A newly disclosed Linux kernel vulnerability is raising serious concerns across the security community, as it allows attackers to access highly sensitive data, including SSH private keys and password hashes, on affected systems. Tracked as CVE-2026-46333, the flaw has been nicknamed “ssh-keysign-pwn” and impacts a wide range of Linux distributions. Linux system hit with multiple vulnerabilities in 2026, […] The post Critical Linux Kernel Flaw ‘ssh-keysign-pwn’ Exposes SSH Keys and Shadow Passwor
Full text archived locally
✦ AI Summary· Claude Sonnet
Discover more
mobile
Cybersecurity training courses
Hacking & Cracking
HomeCyber Security News
Critical Linux Kernel Flaw ‘ssh-keysign-pwn’ Exposes SSH Keys and Shadow Passwords
By Dhivya
May 16, 2026
A newly disclosed Linux kernel vulnerability is raising serious concerns across the security community, as it allows attackers to access highly sensitive data, including SSH private keys and password hashes, on affected systems.
Tracked as CVE-2026-46333, the flaw has been nicknamed “ssh-keysign-pwn” and impacts a wide range of Linux distributions.
Linux system hit with multiple vulnerabilities in 2026, including Dirty Pipe, io_uring UAF, Copy Fail, io_uring ZCRX Freelist, Dirty Frag, and Fragnesia.
Linux Kernel Vulnerability “ssh-keysign-pwn”
The issue originates in the Linux kernel’s ptrace access control logic, specifically within the __ptrace_may_access() function.
This mechanism is supposed to restrict how processes can inspect or interact with other processes. However, a logic flaw tied to the kernel’s “dumpability” checks creates a dangerous race condition.
In simple terms, when a privileged process (such as ssh-keysign or chage) is shutting down, there is a short window where its memory context is cleared (mm = NULL) but its open file descriptors still exist. During this gap, an unprivileged local attacker can exploit the flaw using pidfd_getfd() to steal those file descriptors.
This effectively bypasses intended permission checks, allowing unauthorized access to sensitive files.
Security researchers, including Qualys, warn that this vulnerability can lead to severe consequences:
Theft of SSH private keys enables attackers to impersonate systems or users.
Man-in-the-middle (MitM) attacks until compromised keys are rotated.
Full read access to /etc/shadow, exposing password hashes for offline cracking.
Potential lateral movement across infrastructure using stolen credentials.
Because SSH keys are often reused across environments, a single compromised system can cascade into broader network access.
Affected Systems
The vulnerability affects most Linux distributions running kernels before the patch released on May 14, 2026. This includes:
Ubuntu
Debian
Arch Linux
CentOS
Raspberry Pi OS
Given that the flaw has reportedly existed for over six years, many long-term deployments may be exposed.
The core issue lies in how the kernel handles processes without a memory context. The “dumpability” flag, originally designed to control core dumps, is reused in ptrace checks, even when it no longer makes logical sense.
When a process exits, its memory is released before its file descriptors are cleaned up. The kernel fails to properly enforce access restrictions during this transitional state, allowing attackers to bypass security boundaries.
The GitHub PoC ssh-keysign-pwn demonstrates exactly how to weaponize this race condition on pre‑31e62c2ebbfd kernels.
The PoC repeatedly spawns attack processes that race against a privileged helper’s exit path, using pidfd_getfd to grab file descriptors to root‑owned files before they are closed.
According to public analysis, the exploit typically succeeds within 100–2000 attempts, making it practical on real systems.
Two core exploitation paths are highlighted:
Targeting ssh-keysign to read SSH host private keys from /etc/ssh/ssh_host_{ecdsa,ed25519,rsa}_key
Targeting chage -l <user> to read /etc/shadow via a similar file‑descriptor theft pattern
Mitigations
Organizations should act immediately to reduce risk:
Apply the latest kernel patches that fix CVE-2026-46333.
Rotate all SSH keys, especially on critical systems.
Audit access to sensitive files, such as /etc/shadow.
Monitor for suspicious use of ptrace or pidfd-related system calls.
Restrict local user access where possible, as exploitation requires local presence.
As a public proof-of-concept (PoC) exploit has already been released on GitHub, it increases the likelihood of active exploitation in the wild. This significantly raises the urgency for patching.
With SSH serving as the backbone of secure access across cloud and enterprise environments, the exposure of private keys poses a high-impact risk that cannot be ignored.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
vulnerability
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Dhivyahttps://cybersecuritynews.com/
Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.
Trending News
macOS Malware Leverages Google Ads and Legitimate Claude.ai Shared Chats to Deliver Malware
Sandworm Hackers Pivot From Compromised IT Systems Toward Critical OT Assets
Google reCAPTCHA Update Blocks Privacy-Focused Android Users From Sites
Ivanti Patches Multiple Vulnerabilities in Secure Access, Xtraction, vTM and Endpoint Manager
Hackers Use OrBit Rootkit to Harvest SSH and Sudo Credentials From Linux Systems
Latest News
Cyber Security News
JDownloader Website Compromised to Distribute Malicious Windows and Linux Installers
Cyber Security News
Malicious JPEG Images Could Trigger PHP Memory Safety Vulnerabilities
Cyber Security News
Google Project Zero Discloses Zero-Click Exploit Chain for Pixel 10 Devices
Android
Android 16 VPN Bypass Lets Malicious Apps Reveal Users Real IP Address
Cyber Security News
Gunra Ransomware Expands RaaS Operations After Shifting From Conti-Based Locker