The 4th Linux Kernel Flaw This Month Can Lead To Stolen Ssh Host Keys

ismagilov/iStock/Getty Images Plus

Follow ZDNET: Add america arsenic a preferred source connected Google.

ZDNET's cardinal takeaways

• Another day, different Linux bug. 
• There is simply a spot retired now.  
• However, it's not disposable yet successful astir distros. 

Linux's latest kernel flaw doesn't person a fancy name; it's conscionable called "ssh‑keysign‑pwn." It's nan 4th high‑profile section information spread to deed Linux successful conscionable a fewer weeks. This 1 enables mean users to softly publication immoderate of nan astir delicate files connected a system, including Secure Shell (SSH) big backstage keys and nan protector password file.

The vulnerability gets its "ssh‑keysign‑pwn" nickname from 1 of nan main exploitation paths: abusing OpenSSH's ssh-keysign helper binary. Keysign -keysign is utilized for host‑based authentication and typically runs setuid root, opening nan system's SSH big keys earlier dropping privileges to complete its work.

Also: The 3rd awesome Linux kernel flaw successful 2 weeks has been recovered - acknowledgment to AI

Just what we needed. Another annoying and perchance vulnerable Linux bug.

The flaw explained

Security researchers astatine information institution Qualys disclosed CVE‑2026‑46333, an information‑disclosure vulnerability successful nan Linux kernel's ptrace entree check. Qualys claims it has existed successful 1 shape aliases different for astir six years. 

The flaw sits successful nan __ptrace_may_access() logic that runs arsenic processes exit. Under definite conditions, nan kernel skips normal "dumpable" checks erstwhile a process has dropped its representation mapping. This opens a little model for different process to bargain its record descriptors.

While ssh‑keysign‑pwn doesn't manus complete a afloat guidelines ammunition by itself, nan expertise to exfiltrate big keys and password hashes is simply a powerful building artifact for lateral activity and long‑term persistence. In addition, pinch stolen SSH big keys, attackers tin impersonate machines successful host‑based spot relationships. With entree to nan protector password directory, they tin effort offline password cracking and reuse those credentials crossed systems.

Also: Linux is getting a information wake-up telephone - why it was inevitable, and I'm not worried

Just what we ever needed. A persistent hack that tin support stealing keys and passwords. 

In his patch, Linus Torvalds explained nan problem exists because "We person 1 overseas typical case: ptrace_may_access() uses 'dumpable' to cheque various different things wholly independently of nan MM (typically explicitly utilizing flags for illustration PTRACE_MODE_READ_FSCREDS). Including for threads that nary longer person a VM (and possibly ne'er did, for illustration astir kernel threads). It's not what this emblem was designed for, but it is what it is."

What that intends for you and maine is that by combining this logic correction pinch nan pidfd_getfd(2) strategy call, unprivileged users tin scope into privileged processes that are successful nan mediate of shutting down, drawback their still‑open record descriptors, and past publication from files that would usually beryllium accessible only to root.

That wouldn't beryllium a large woody isolated from that Qualys has shown via a proof‑of‑concept (PoC) exploit that nan bug tin beryllium triggered reliably successful practice, not conscionable successful theory. The bully news is nan hole is in. Linux unchangeable maintainer Greg Kroah‑Hartman has already rolled retired updates crossed aggregate supported branches, including caller releases specified arsenic 7.0.8, 6.18.31, 6.12.89, 6.6.139, 6.1.173, 5.15.207, and 5.10.256, each of which transportation nan ssh‑keysign‑pwn fix. 

What you request to do

You'll want to move to 1 of these kernels ASAP. This spread affects each Linux kernels released earlier May 14, 2026. Otherwise, arsenic 1 tired personnel of nan Manjaro Linux squad put it, "Don't tally your PC if you don't request it. Lock yourself successful and look complete your shoulder." Well, that's surely 1 measurement of dealing pinch it! 

Also: How to study Claude Code for free pinch Anthropic's AI courses

Until patched kernels are wide available, information teams do person immoderate mitigation options, but each comes pinch trade‑offs. 

One speedy and soiled workaround is to tighten Linux's Yama ptrace restrictions by mounting it pinch nan command: 

sysctl kernel.yama.ptrace_scope=2. 

This disables ptrace for non‑root users and blocks nan exploit, but it besides breaks galore debugging and monitoring workflows. This is not perfect for developer workflows. 

You tin besides trim vulnerability by disabling host‑based SSH authentication and nan ssh-keysign helper wholly connected systems wherever they are not needed. This removes a superior avenue for stealing big keys. However, this besides stops SSH successful its tracks, which for galore Linux systems is simply a non-starter.

Me? I'm going to beryllium monitoring my systems and hoping nan distros I usage each time -- Linux Mint, Ubuntu, AlmaLinux, openSUSE, and Rocky Linux -- get patched by nan extremity of nan weekend.