Observe ZDNET: Add us as a most popular supply on Google.
ZDNET’s key takeaways
- One other day, one other Linux bug.
- There’s a patch out now.
- Nonetheless, it is not obtainable but in most distros.
Linux’s newest kernel flaw does not have a elaborate identify; it is simply referred to as “ssh‑keysign‑pwn.” It is the fourth excessive‑profile native safety gap to hit Linux in only a few weeks. This one permits extraordinary customers to quietly learn a few of the most delicate recordsdata on a system, together with Safe Shell (SSH) host personal keys and the shadow password file.
The vulnerability will get its “ssh‑keysign‑pwn” nickname from one of many fundamental exploitation paths: abusing OpenSSH’s ssh-keysign helper binary. Keysign -keysign is used for host‑primarily based authentication and usually runs setuid root, opening the system’s SSH host keys earlier than dropping privileges to finish its work.
Additionally: The third main Linux kernel flaw in two weeks has been discovered – due to AI
Simply what we wanted. One other annoying and doubtlessly harmful Linux bug.
The flaw defined
Safety researchers at safety firm Qualys disclosed CVE‑2026‑46333, an data‑disclosure vulnerability within the Linux kernel’s ptrace entry examine. Qualys claims it has existed in a single kind or one other for about six years.
The flaw sits within the __ptrace_may_access() logic that runs as processes exit. Below sure situations, the kernel skips regular “dumpable” checks as soon as a course of has dropped its reminiscence mapping. This opens a short window for an additional course of to steal its file descriptors.
Whereas ssh‑keysign‑pwn does not hand over a full root shell by itself, the flexibility to exfiltrate host keys and password hashes is a strong constructing block for lateral motion and lengthy‑time period persistence. As well as, with stolen SSH host keys, attackers can impersonate machines in host‑primarily based belief relationships. With entry to the shadow password listing, they will try offline password cracking and reuse these credentials throughout programs.
Additionally: Linux is getting a safety wake-up name – why it was inevitable, and I am not anxious
Simply what we all the time wanted. A persistent hack that may preserve stealing keys and passwords.
In his patch, Linus Torvalds defined the issue exists as a result of “Now we have one odd particular case: ptrace_may_access() makes use of ‘dumpable’ to examine numerous different issues totally independently of the MM (usually explicitly utilizing flags like PTRACE_MODE_READ_FSCREDS). Together with for threads that not have a VM (and perhaps by no means did, like most kernel threads). It is not what this flag was designed for, however it’s what it’s.”
What which means for you and me is that by combining this logic error with the pidfd_getfd(2) system name, unprivileged customers can attain into privileged processes which might be in the course of shutting down, seize their nonetheless‑open file descriptors, after which learn from recordsdata that might usually be accessible solely to root.
That would not be an enormous deal besides that Qualys has proven by way of a proof‑of‑idea (PoC) exploit that the bug may be triggered reliably in observe, not simply in concept. The excellent news is the repair is in. Linux steady maintainer Greg Kroah‑Hartman has already rolled out updates throughout a number of supported branches, together with new releases equivalent to 7.0.8, 6.18.31, 6.12.89, 6.6.139, 6.1.173, 5.15.207, and 5.10.256, all of which carry the ssh‑keysign‑pwn repair.
What you could do
You may wish to transfer to certainly one of these kernels ASAP. This gap impacts all Linux kernels launched earlier than Could 14, 2026. In any other case, as one drained member of the Manjaro Linux staff put it, “Do not run your PC if you happen to do not want it. Lock your self in and look over your shoulder.” Effectively, that is definitely a technique of coping with it!
Additionally: The best way to study Claude Code without spending a dime with Anthropic’s AI programs
Till patched kernels are extensively obtainable, safety groups do have some mitigation choices, however every comes with commerce‑offs.
One fast and soiled workaround is to tighten Linux’s Yama ptrace restrictions by setting it with the command:
sysctl kernel.yama.ptrace_scope=2.
This disables ptrace for non‑root customers and blocks the exploit, however it additionally breaks many debugging and monitoring workflows. This isn’t superb for developer workflows.
You too can cut back publicity by disabling host‑primarily based SSH authentication and the ssh-keysign helper totally on programs the place they aren’t wanted. This removes a major avenue for stealing host keys. Nonetheless, this additionally stops SSH in its tracks, which for a lot of Linux programs is a non-starter.
Me? I’ll be monitoring my programs and hoping the distros I exploit day by day — Linux Mint, Ubuntu, AlmaLinux, openSUSE, and Rocky Linux — get patched by the tip of the weekend.
