Observe ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- One other day, one other Linux bug.
- There’s a patch out now.
- Nonetheless, it is not obtainable but in most distros.
Linux’s newest kernel flaw does not have a flowery identify; it is simply referred to as “ssh‑keysign‑pwn.” It is the fourth excessive‑profile native safety gap to hit Linux in only a few weeks. This one permits abnormal customers to quietly learn a number of the most delicate information on a system, together with Safe Shell (SSH) host personal keys and the shadow password file.
The vulnerability will get its “ssh‑keysign‑pwn” nickname from one of many major exploitation paths: abusing OpenSSH’s ssh-keysign helper binary. Keysign -keysign is used for host‑based mostly authentication and sometimes runs setuid root, opening the system’s SSH host keys earlier than dropping privileges to finish its work.
Additionally: The third major Linux kernel flaw in two weeks has been found – thanks to AI
Simply what we wanted. One other annoying and probably harmful Linux bug.
The flaw defined
Safety researchers at safety firm Qualys disclosed CVE‑2026‑46333an info‑disclosure vulnerability within the Linux kernel’s ptrace entry verify. Qualys claims it has existed in a single type or one other for about six years.
The flaw sits within the __ptrace_may_access() logic that runs as processes exit. Below sure situations, the kernel skips regular “dumpable” checks as soon as a course of has dropped its reminiscence mapping. This opens a quick window for one more course of to steal its file descriptors.
Whereas ssh‑keysign‑pwn does not hand over a full root shell by itself, the power to exfiltrate host keys and password hashes is a robust constructing block for lateral motion and lengthy‑time period persistence. As well as, with stolen SSH host keys, attackers can impersonate machines in host‑based mostly belief relationships. With entry to the shadow password listing, they will try offline password cracking and reuse these credentials throughout programs.
Additionally: Linux is getting a security wake-up call – why it was inevitable, and I’m not worried
Simply what we at all times wanted. A persistent hack that may hold stealing keys and passwords.
In his patchLinus Torvalds defined the issue exists as a result of “Now we have one odd particular case: ptrace_may_access() makes use of ‘dumpable’ to verify numerous different issues totally independently of the MM (sometimes explicitly utilizing flags like PTRACE_MODE_READ_FSCREDS). Together with for threads that now not have a VM (and possibly by no means did, like most kernel threads). It isn’t what this flag was designed for, however it’s what it’s.”
What meaning for you and me is that by combining this logic error with the pidfd_getfd(2) system name, unprivileged customers can attain into privileged processes which are in the midst of shutting down, seize their nonetheless‑open file descriptors, after which learn from information that might usually be accessible solely to root.
That would not be a giant deal besides that Qualys has shown via a proof‑of‑concept (PoC) exploit that the bug could be triggered reliably in follow, not simply in concept. The excellent news is the repair is in. Linux steady maintainer Greg Kroah‑Hartman has already rolled out updates throughout a number of supported branches, together with new releases similar to 7.0.8, 6.18.31, 6.12.89, 6.6.139, 6.1.173, 5.15.207, and 5.10.256, all of which carry the ssh‑keysign‑pwn repair.
What you might want to do
You may need to transfer to certainly one of these kernels ASAP. This gap impacts all Linux kernels launched earlier than Might 14, 2026. In any other case, as one drained member of the Manjaro Linux group put it, “Don’t run your PC if you don’t need it. Lock your self in and look over your shoulder.” Effectively, that is actually a technique of coping with it!
Additionally: How to learn Claude Code for free with Anthropic’s AI courses
Till patched kernels are broadly obtainable, safety groups do have some mitigation choices, however every comes with commerce‑offs.
One fast and soiled workaround is to tighten Linux’s Yama ptrace restrictions by setting it with the command:
sysctl kernel.yama.ptrace_scope=2.
This disables ptrace for non‑root customers and blocks the exploit, but it surely additionally breaks many debugging and monitoring workflows. This isn’t ideally suited for developer workflows.
It’s also possible to scale back publicity by disabling host‑based SSH authentication and the ssh-keysign helper totally on programs the place they aren’t wanted. This removes a major avenue for stealing host keys. Nonetheless, this additionally stops SSH in its tracks, which for a lot of Linux programs is a non-starter.
Me? I’ll be monitoring my programs and hoping the distros I exploit on daily basis — Linux Mint, Ubuntu, AlmaLinux, openSUSE, and Rocky Linux — get patched by the tip of the weekend.
