The 4th Linux kernel flaw this month can lead to stolen SSH host keys

ismagilov/iStock/Getty Images Plus

Follow ZDNET: Add america arsenic a preferred source connected Google.

ZDNET's cardinal takeaways

• Another day, different Linux bug. 
• There is simply a spot retired now.  
• However, it's not disposable yet successful astir distros. 

Linux's latest kernel flaw doesn't person a fancy name; it's conscionable called "ssh‑keysign‑pwn." It's the 4th high‑profile section information spread to deed Linux successful conscionable a fewer weeks. This 1 enables mean users to softly work immoderate of the astir delicate files connected a system, including Secure Shell (SSH) big backstage keys and the shadiness password file.

The vulnerability gets its "ssh‑keysign‑pwn" nickname from 1 of the main exploitation paths: abusing OpenSSH's ssh-keysign helper binary. Keysign -keysign is utilized for host‑based authentication and typically runs setuid root, opening the system's SSH big keys earlier dropping privileges to implicit its work.

Also: The 3rd large Linux kernel flaw successful 2 weeks has been recovered - acknowledgment to AI

Just what we needed. Another annoying and perchance unsafe Linux bug.

The flaw explained

Security researchers astatine information institution Qualys disclosed CVE‑2026‑46333, an information‑disclosure vulnerability successful the Linux kernel's ptrace entree check. Qualys claims it has existed successful 1 signifier oregon different for astir six years. 

The flaw sits successful the __ptrace_may_access() logic that runs arsenic processes exit. Under definite conditions, the kernel skips mean "dumpable" checks erstwhile a process has dropped its representation mapping. This opens a little model for different process to bargain its record descriptors.

While ssh‑keysign‑pwn doesn't manus implicit a afloat basal ammunition by itself, the quality to exfiltrate big keys and password hashes is simply a almighty gathering artifact for lateral question and long‑term persistence. In addition, with stolen SSH big keys, attackers tin impersonate machines successful host‑based spot relationships. With entree to the shadiness password directory, they tin effort offline password cracking and reuse those credentials crossed systems.

Also: Linux is getting a information wake-up telephone - wherefore it was inevitable, and I'm not worried

Just what we ever needed. A persistent hack that tin support stealing keys and passwords. 

In his patch, Linus Torvalds explained the occupation exists due to the fact that "We person 1 unusual peculiar case: ptrace_may_access() uses 'dumpable' to cheque assorted different things wholly independently of the MM (typically explicitly utilizing flags similar PTRACE_MODE_READ_FSCREDS). Including for threads that nary longer person a VM (and possibly ne'er did, similar astir kernel threads). It's not what this emblem was designed for, but it is what it is."

What that means for you and maine is that by combining this logic mistake with the pidfd_getfd(2) strategy call, unprivileged users tin scope into privileged processes that are successful the mediate of shutting down, drawback their still‑open record descriptors, and past work from files that would usually beryllium accessible lone to root.

That wouldn't beryllium a large woody but that Qualys has shown via a proof‑of‑concept (PoC) exploit that the bug tin beryllium triggered reliably successful practice, not conscionable successful theory. The bully quality is the hole is in. Linux unchangeable maintainer Greg Kroah‑Hartman has already rolled retired updates crossed aggregate supported branches, including caller releases specified arsenic 7.0.8, 6.18.31, 6.12.89, 6.6.139, 6.1.173, 5.15.207, and 5.10.256, each of which transportation the ssh‑keysign‑pwn fix. 

What you request to do

You'll privation to determination to 1 of these kernels ASAP. This spread affects each Linux kernels released earlier May 14, 2026. Otherwise, arsenic 1 bushed subordinate of the Manjaro Linux squad enactment it, "Don't tally your PC if you don't request it. Lock yourself successful and look implicit your shoulder." Well, that's surely 1 mode of dealing with it! 

Also: How to larn Claude Code for escaped with Anthropic's AI courses

Until patched kernels are wide available, information teams bash person immoderate mitigation options, but each comes with trade‑offs. 

One speedy and soiled workaround is to tighten Linux's Yama ptrace restrictions by mounting it with the command: 

sysctl kernel.yama.ptrace_scope=2. 

This disables ptrace for non‑root users and blocks the exploit, but it besides breaks galore debugging and monitoring workflows. This is not perfect for developer workflows. 

You tin besides trim vulnerability by disabling host‑based SSH authentication and the ssh-keysign helper wholly connected systems wherever they are not needed. This removes a superior avenue for stealing big keys. However, this besides stops SSH successful its tracks, which for galore Linux systems is simply a non-starter.

Me? I'm going to beryllium monitoring my systems and hoping the distros I usage each time -- Linux Mint, Ubuntu, AlmaLinux, openSUSE, and Rocky Linux -- get patched by the extremity of the weekend.