CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 21, 2026

Nine-year-old Linux Kernel Vulnerability Let Attackers Exfiltrate SSH Private Keys

Cybersecurity News Archived May 21, 2026 ✓ Full text saved

A newly disclosed Linux kernel vulnerability, tracked as CVE-2026-46333, exposes a serious local privilege escalation flaw that has remained undetected for nearly nine years. Security researchers at the Qualys Threat Research Unit (TRU) revealed that the issue allows attackers to exfiltrate sensitive data, including SSH private keys, and execute arbitrary commands as root on affected […] The post Nine-year-old Linux Kernel Vulnerability Let Attackers Exfiltrate SSH Private Keys appeared first on

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Nine-year-old Linux Kernel Vulnerability Let Attackers Exfiltrate SSH Private Keys By Abinaya May 21, 2026 A newly disclosed Linux kernel vulnerability, tracked as CVE-2026-46333, exposes a serious local privilege escalation flaw that has remained undetected for nearly nine years. Security researchers at the Qualys Threat Research Unit (TRU) revealed that the issue allows attackers to exfiltrate sensitive data, including SSH private keys, and execute arbitrary commands as root on affected systems. The flaw resides in the Linux kernel’s __ptrace_may_access() function, which governs whether one process can inspect or interact with another. Due to a logic error introduced in Linux kernel version 4.10-rc1 (November 2016), the function incorrectly permits access to privileged processes during a brief window when they are dropping credentials. By combining this race condition with the pidfd_getfd() system call, attackers can duplicate file descriptors from privileged processes and reuse them under their own unprivileged context. Linux Kernel Flaw Exposes SSH Keys This effectively bypasses standard permission checks and allows access to sensitive resources. Qualys demonstrated reliable exploitation across multiple default Linux distributions, including Debian 13, Ubuntu 24.04 and 26.04, and Fedora 43/44. Four real-world attack scenarios were validated: ssh-keysign: Allows exfiltration of SSH host private keys stored under /etc/ssh/. change: Enables disclosure of password hashes from /etc/shadow. pkexec: Facilitates arbitrary command execution as root. accounts-daemon: Allows privilege escalation via D-Bus interactions. Although classified as a local vulnerability, the impact is severe. Any attacker with a low-privileged shell, such as via SSH access, compromised service accounts, or CI/CD pipelines, can escalate to full root access. This effectively collapses the boundary between limited access and total system compromise. The vulnerability stems from improper handling of the “dumpable” state in __ptrace_may_access(). When a target process exits, and its memory descriptor (mm) becomes NULL, the kernel skips critical security checks. Access control then falls back to the YAMA Linux Security Module. Under the default kernel. yama.ptrace_scope = 1, YAMA permits access if the attacker is the parent process, which is often the exploitation case. This enables the attack chain. However, setting ptrace_scope = 2 enforces stricter checks requiring CAP_SYS_PTRACE, effectively blocking the exploit path. Upstream patches were released on May 14, 2026, shortly after responsible disclosure. Major Linux distributions, including Debian, Fedora, Red Hat, SUSE, AlmaLinux, and CloudLinux, have issued security updates. Administrators are strongly advised to: Apply the latest kernel updates immediately. Rotate SSH host keys and sensitive credentials on potentially exposed systems. Audit systems for unauthorized privilege escalation activity. As an interim mitigation, systems can enforce: kernel.yama.ptrace_scope = 2 However, this setting may disrupt debugging tools such as gdb and strace, as well as certain container- or crash-reporting workflows. With public exploits now circulating and the vulnerability affecting nearly a decade of Linux systems, CVE-2026-46333 poses a critical risk that requires immediate attention across enterprise and cloud environments. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News DevilNFC Android Malware Uses Kiosk Mode to Trap Victims During NFC Relay Attacks Critical SEPPmail Gateway Flaws Allow Remote Code Execution and Mail Traffic Theft Android 16 VPN Bypass Lets Malicious Apps Reveal Users Real IP Address New Windows ‘MiniPlasma’ Zero-Day Let Attackers Gain SYSTEM Access – PoC Released Gunra Ransomware Expands RaaS Operations After Shifting From Conti-Based Locker Latest News Cyber Security New Microsoft Defender 0‑Days Actively Exploited in the Wild Cyber Security News BadIIS Malware Turns Hijacks IIS Servers and Redirect Users to Illicit Sites Cyber Security News Critical Cisco Secure Workload Vulnerability Enables Unauthorized API Access Cyber Security News Critical Drupal Core Security Vulnerability Exposes Websites to Cyberattack Cyber Security News New NGINX 0-Day RCE “nginx-poolslip” Affects Millions of NGINX Servers
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 21, 2026
    Archived
    May 21, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗