Comply with ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- One other day, one other Linux bug.
- There’s a patch out now.
- Nonetheless, it is not obtainable but in most distros.
Linux’s newest kernel flaw does not have a elaborate title; it is simply referred to as “ssh‑keysign‑pwn.” It is the fourth excessive‑profile native safety gap to hit Linux in just some weeks. This one allows unusual customers to quietly learn among the most delicate recordsdata on a system, together with Safe Shell (SSH) host non-public keys and the shadow password file.
The vulnerability will get its “ssh‑keysign‑pwn” nickname from one of many major exploitation paths: abusing OpenSSH’s ssh-keysign helper binary. Keysign -keysign is used for host‑based mostly authentication and sometimes runs setuid root, opening the system’s SSH host keys earlier than dropping privileges to finish its work.
Additionally: The third major Linux kernel flaw in two weeks has been found – thanks to AI
Simply what we would have liked. One other annoying and doubtlessly harmful Linux bug.
The flaw defined
Safety researchers at safety firm Qualys disclosed CVE‑2026‑46333, an data‑disclosure vulnerability within the Linux kernel’s ptrace entry test. Qualys claims it has existed in a single kind or one other for about six years.
The flaw sits within the __ptrace_may_access() logic that runs as processes exit. Below sure circumstances, the kernel skips regular “dumpable” checks as soon as a course of has dropped its reminiscence mapping. This opens a quick window for an additional course of to steal its file descriptors.
Whereas ssh‑keysign‑pwn does not hand over a full root shell by itself, the flexibility to exfiltrate host keys and password hashes is a robust constructing block for lateral motion and lengthy‑time period persistence. As well as, with stolen SSH host keys, attackers can impersonate machines in host‑based mostly belief relationships. With entry to the shadow password listing, they’ll try offline password cracking and reuse these credentials throughout techniques.
Additionally: Linux is getting a security wake-up call – why it was inevitable, and I’m not worried
Simply what we all the time wanted. A persistent hack that may maintain stealing keys and passwords.
In his patch, Linus Torvalds defined the issue exists as a result of “We have now one odd particular case: ptrace_may_access() makes use of ‘dumpable’ to test varied different issues completely independently of the MM (sometimes explicitly utilizing flags like PTRACE_MODE_READ_FSCREDS). Together with for threads that not have a VM (and perhaps by no means did, like most kernel threads). It is not what this flag was designed for, however it’s what it’s.”
What meaning for you and me is that by combining this logic error with the pidfd_getfd(2) system name, unprivileged customers can attain into privileged processes which might be in the course of shutting down, seize their nonetheless‑open file descriptors, after which learn from recordsdata that will usually be accessible solely to root.
That would not be an enormous deal besides that Qualys has shown via a proof‑of‑concept (PoC) exploit that the bug will be triggered reliably in follow, not simply in concept. The excellent news is the repair is in. Linux steady maintainer Greg Kroah‑Hartman has already rolled out updates throughout a number of supported branches, together with new releases corresponding to 7.0.8, 6.18.31, 6.12.89, 6.6.139, 6.1.173, 5.15.207, and 5.10.256, all of which carry the ssh‑keysign‑pwn repair.
What it is advisable to do
You may wish to transfer to one in all these kernels ASAP. This gap impacts all Linux kernels launched earlier than Could 14, 2026. In any other case, as one drained member of the Manjaro Linux crew put it, “Don’t run your PC if you don’t need it. Lock your self in and look over your shoulder.” Properly, that is definitely a method of coping with it!
Additionally: How to learn Claude Code for free with Anthropic’s AI courses
Till patched kernels are broadly obtainable, safety groups do have some mitigation choices, however every comes with commerce‑offs.
One fast and soiled workaround is to tighten Linux’s Yama ptrace restrictions by setting it with the command:
sysctl kernel.yama.ptrace_scope=2.
This disables ptrace for non‑root customers and blocks the exploit, but it surely additionally breaks many debugging and monitoring workflows. This isn’t perfect for developer workflows.
You can even scale back publicity by disabling host‑based SSH authentication and the ssh-keysign helper completely on techniques the place they don’t seem to be wanted. This removes a main avenue for stealing host keys. Nonetheless, this additionally stops SSH in its tracks, which for a lot of Linux techniques is a non-starter.
Me? I’ll be monitoring my techniques and hoping the distros I take advantage of every single day — Linux Mint, Ubuntu, AlmaLinux, openSUSE, and Rocky Linux — get patched by the tip of the weekend.
