Critical Linux Kernel Flaw Exfiltrates SSH Private Keys

A newly disclosed Linux kernel vulnerability, tracked as CVE-2026-46333, exposes a serious local privilege escalation flaw. The vulnerability remained undetected for nearly nine years.

Security researchers at the Qualys Threat Research Unit (TRU) revealed that the issue allows attackers to exfiltrate sensitive data, including SSH private keys, and execute arbitrary commands as root on affected systems.

The flaw resides in the Linux kernel’s __ptrace_may_access() function, which governs whether one process can inspect or interact with another.

Due to a logic error introduced in Linux kernel version 4.10-rc1 (November 2016), the function incorrectly permits access to privileged processes during a brief window when they are dropping credentials.

By combining this race condition with the pidfd_getfd() system call, attackers can duplicate file descriptors from privileged processes and reuse them under their own unprivileged context.

Linux Kernel Flaw Exposes SSH Keys

This effectively bypasses standard permission checks and allows access to sensitive resources.

Qualys demonstrated reliable exploitation across multiple default Linux distributions, including Debian 13, Ubuntu 24.04 and 26.04, and Fedora 43/44.

Four real-world attack scenarios were validated:

• ssh-keysign: Allows exfiltration of SSH host private keys stored under /etc/ssh/.
• change: Enables disclosure of password hashes from /etc/shadow.
• pkexec: Facilitates arbitrary command execution as root.
• accounts-daemon: Allows privilege escalation via D-Bus interactions.

Although classified as a local vulnerability, the impact is severe. Any attacker with a low-privileged shell, such as via SSH access, compromised service accounts, or CI/CD pipelines, can escalate to full root access.

This effectively collapses the boundary between limited access and total system compromise.

The vulnerability stems from improper handling of the “dumpable” state in __ptrace_may_access().

When a target process exits, and its memory descriptor (mm) becomes NULL, the kernel skips critical security checks. Access control then falls back to the YAMA Linux Security Module.

Under the default kernel. yama.ptrace_scope = 1, YAMA permits access if the attacker is the parent process, which is often the exploitation case.

This enables the attack chain. However, setting ptrace_scope = 2 enforces stricter checks requiring CAP_SYS_PTRACE, effectively blocking the exploit path.

Upstream patches were released on May 14, 2026, shortly after responsible disclosure.

Major Linux distributions, including Debian, Fedora, Red Hat, SUSE, AlmaLinux, and CloudLinux, have issued security updates.

Administrators are strongly advised to:

• Apply the latest kernel updates immediately.
• Rotate SSH host keys and sensitive credentials on potentially exposed systems.
• Audit systems for unauthorized privilege escalation activity.

As an interim mitigation, systems can enforce:

• kernel.yama.ptrace_scope = 2

However, this setting may disrupt debugging tools such as gdb and strace, as well as certain container- or crash-reporting workflows.

With public exploits now circulating and the vulnerability affecting nearly a decade of Linux systems, CVE-2026-46333 poses a critical risk that requires immediate attention across enterprise and cloud environments.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.