4th Linux Kernel Bug This Month Exposes SSH Host Keys

Another day, another Linux kernel vulnerability. This time, the flaw is dubbed “ssh‑keysign‑pwn,” and it marks the fourth high‑profile local security hole to hit Linux in just a few weeks. The bug allows ordinary users to quietly read some of the most sensitive files on a system, including Secure Shell (SSH) host private keys and the shadow password file.

A patch has already been released, but most Linux distributions have not yet incorporated it.

The vulnerability earns its nickname from one of the primary exploitation paths: abusing OpenSSH’s ssh-keysign helper binary. This tool is used for host‑based authentication and typically runs setuid root, meaning it opens the system’s SSH host keys before dropping privileges to complete its work. That makes it a prime target for information theft.

Security researchers at Qualys disclosed CVE‑2026‑46333, an information‑disclosure vulnerability in the Linux kernel’s ptrace access check. According to Qualys, the flaw has existed in some form for approximately six years. The issue resides in the `ptracemayaccess()` logic that runs as processes exit. Under specific conditions, the kernel skips normal “dumpable” checks once a process has dropped its memory mapping, opening a brief window for another process to steal its file descriptors.

While ssh‑keysign‑pwn does not grant a full root shell on its own, the ability to exfiltrate host keys and password hashes is a powerful tool for lateral movement and long‑term persistence. Attackers can use stolen SSH host keys to impersonate machines in host‑based trust relationships, and with access to the shadow password file, they can attempt offline password cracking and reuse those credentials across systems.

In his patch, Linus Torvalds explained the root cause: “We have one odd special case: ptracemayaccess() uses ‘dumpable’ to check various other things entirely independently of the MM (typically explicitly using flags like PTRACEMODEREAD_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It’s not what this flag was designed for, but it is what it is.”

For everyday users, this means that by combining this logic error with the pidfd_getfd(2) system call, unprivileged users can reach into privileged processes that are shutting down, grab their still‑open file descriptors, and read files normally accessible only to root. Qualys has demonstrated a proof‑of‑concept exploit that triggers the bug reliably in practice, not just in theory.

The good news is that a fix is already available. Linux stable maintainer Greg Kroah‑Hartman has rolled out updates across multiple supported branches, including 7.0.8, 6.18.31, 6.12.89, 6.6.139, 6.1.173, 5.15.207, and 5.10.256, all of which carry the ssh‑keysign‑pwn fix.

You should move to one of these kernels as soon as possible. The hole affects all Linux kernels released before May 14, 2026. Until patched kernels are widely available, security teams have some mitigation options, though each comes with trade‑offs.

One quick workaround is to tighten Linux’s Yama ptrace restrictions by running `sysctl kernel.yama.ptrace_scope=2`. This disables ptrace for non‑root users and blocks the exploit, but it also breaks many debugging and monitoring workflows, which is not ideal for developers.

Another option is to reduce exposure by disabling host‑based SSH authentication and the ssh-keysign helper entirely on systems where they are not needed. This removes a primary avenue for stealing host keys, but it also stops SSH in its tracks, which is a non-starter for many Linux systems.

As for me, I’ll be monitoring my systems and hoping the distributions I rely on daily,Linux Mint, Ubuntu, AlmaLinux, openSUSE, and Rocky Linux,get patched by the end of the weekend.