Critical Linux Kernel Flaw: Read SSH Keys & Passwords

A newly disclosed Linux kernel vulnerability is raising serious concerns across the security community. It enables attackers to access highly sensitive data, including SSH private keys and password hashes, on affected systems.

Tracked as CVE-2026-46333, the flaw has been nicknamed “ssh-keysign-pwn” and impacts a wide range of Linux distributions.

Linux Kernel Vulnerability “ssh-keysign-pwn”

The issue originates in the Linux kernel’s ptrace access control logic, specifically within the __ptrace_may_access() function.

This mechanism is supposed to restrict how processes can inspect or interact with other processes. However, a logic flaw tied to the kernel’s “dumpability” checks creates a dangerous race condition.

In simple terms, when a privileged process (such as ssh-keysign or chage) is shutting down, there is a short window where its memory context is cleared (mm = NULL) but its open file descriptors still exist. During this gap, an unprivileged local attacker can exploit the flaw using pidfd_getfd() to steal those file descriptors.

This effectively bypasses intended permission checks, allowing unauthorized access to sensitive files.

Security researchers, including Qualys, warn that this vulnerability can lead to severe consequences:

• Theft of SSH private keys enables attackers to impersonate systems or users.
• Man-in-the-middle (MitM) attacks until compromised keys are rotated.
• Full read access to /etc/shadow, exposing password hashes for offline cracking.
• Potential lateral movement across infrastructure using stolen credentials.

Because SSH keys are often reused across environments, a single compromised system can cascade into broader network access.

Affected Systems

The vulnerability affects most Linux distributions running kernels before the patch released on May 14, 2026. This includes:

• Ubuntu
• Debian
• Arch Linux
• CentOS
• Raspberry Pi OS

Given that the flaw has reportedly existed for over six years, many long-term deployments may be exposed.

The core issue lies in how the kernel handles processes without a memory context. The “dumpability” flag, originally designed to control core dumps, is reused in ptrace checks, even when it no longer makes logical sense.

When a process exits, its memory is released before its file descriptors are cleaned up. The kernel fails to properly enforce access restrictions during this transitional state, allowing attackers to bypass security boundaries.

According to a recent post from Clandestine, kernel patches address this by tightening the logic and requiring explicit privileges (such as CAP_SYS_PTRACE) when accessing such processes.

Mitigation and Recommendations

Organizations should act immediately to reduce risk:

• Apply the latest kernel patches that fix CVE-2026-46333.
• Rotate all SSH keys, especially on critical systems.
• Audit access to sensitive files, such as /etc/shadow.
• Monitor for suspicious use of ptrace or pidfd-related system calls.
• Restrict local user access where possible, as exploitation requires local presence.

A public proof-of-concept (PoC) exploit has already been released on GitHub, increasing the likelihood of active exploitation in the wild. This significantly raises the urgency for patching.

This vulnerability highlights how subtle kernel logic flaws can have far-reaching security implications. Even without remote access, attackers who gain a foothold on a system can escalate their capabilities and extract critical secrets.

With SSH serving as the backbone of secure access across cloud and enterprise environments, the exposure of private keys poses a high-impact risk that cannot be ignored.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.