A recently uncovered vulnerability in the Linux kernel, identified as “ssh-keysign-pwn” by researchers from Qualys, poses a significant threat to millions of Linux systems. This vulnerability compromises unauthorized access to sensitive information, including SSH private keys and hashed passwords stored in the /etc/shadow file, creating avenues for malicious exploitation.
The critical flaw is cataloged as CVE-2026-46333 and GHSA-pm8f-4p6p-6×53, with its existence going undetected for nearly six years. It was formally documented in the National Vulnerability Database on May 15, 2026. This timeline reflects a concerning oversight, highlighting how long such vulnerabilities can persist in widely used systems.
At the core of the “ssh-keysign-pwn” issue is a race condition within the Linux kernel’s __ptrace_may_access() function. This particular function governs whether one process is permitted to inspect or trace another process, a vital capability for maintaining system security. The flaw arises from faulty logic relating to the concept of “dumpability,” which pertains to a process’s ability to generate a core dump.
The vulnerability becomes apparent during a process exit sequence. When a privileged process—such as ssh-keysign or chage—initiates its shutdown sequence through the do_exit() function, it first calls exit_mm(), which nullifies the memory pointer (mm). Yet, during this transitional phase, the process retains open sensitive file descriptors (FDs) until exit_files() is executed shortly thereafter.
Exploiting this brief window of time, an unprivileged local attacker can leverage the pidfd_getfd() function to appropriate these open file descriptors before they are officially closed. According to the disclosure by Qualys on the oss-security mailing list, this vulnerability allows attackers with minimal privilege levels to take advantage of the inadequacies in how ptrace_may_access() evaluates dumpability conditions.
What makes the situation particularly alarming is that the kernel does not require the CAP_SYS_PTRACE privilege for these edge cases. Consequently, attackers are not hindered by the necessity of elevated privileges to exploit this vulnerability. The ramifications of this situation are severe, as successfully hijacking file descriptors from the ssh-keysign process allows an attacker to gain read access to the host’s SSH private keys. This capability paves the way for impersonation attacks and man-in-the-middle (MitM) interception of SSH sessions until the compromised keys are replaced.
Furthermore, the same race condition creates the potential to expose the /etc/shadow file, which houses hashed user passwords. This exposure can lead to offline password-cracking assaults against every account on the affected system, significantly compromising user security.
In light of the severity of the threat, a proof-of-concept (PoC) exploit has been made publicly available on GitHub, presenting a more straightforward path for potential exploitation. The PoC can be accessed at github.com/0xdeadbeefnetwork/ssh-keysign-pwn, significantly heightening the urgency for system administrators to address the vulnerability.
Regarding affected systems, all Linux kernels preceding commit 31e62c2ebbfd, which was merged on May 14, 2026, are deemed vulnerable. This includes various significant distributions such as Ubuntu, Debian, Arch Linux, CentOS, and Raspberry Pi OS, as noted by cybersecurity expert Clandestine on social media platform X.
Given the widespread risk posed by this vulnerability, Linux kernel maintainers have promptly released fixes across multiple stable branches, with patches accessible through the official kernel Git repository. System administrators are strongly advised to apply these kernel updates without delay to mitigate the potential impact.
In the interim, while patching efforts are underway, restricting local user access and conducting thorough audits of ptrace permissions through established security policies can help reduce exposure to this vulnerability. The incoming fix is designed to enhance the logic around dumpability, incorporating improvements that will better safeguard against exploitative pathways by requiring explicit CAP_SYS_PTRACE capabilities in scenarios where threads lack an active memory map.
Ultimately, the unearthing of the “ssh-keysign-pwn” vulnerability serves as a stern reminder of the underlying complexities associated with system security, illustrating the ongoing challenges faced in safeguarding against malicious attacks.