The 4th Linux kernel flaw this month can lead to stolen SSH host keys

["Linux's latest kernel flaw, dubbed ssh-keysign-pwn, is the fourth high-profile local security hole to hit Linux in just a few weeks. This vulnerability enables ordinary users to quietly read some of the most sensitive files on a system, including Secure Shell (SSH) host private keys and the shadow password file. The flaw, tracked as CVE-2026-46333, is an information-disclosure vulnerability in the Linux kernel's ptrace access check, which has existed in one form or another for about six years, according to security researchers at Qualys.", "The vulnerability gets its ssh-keysign-pwn nickname from one of the main exploitation paths: abusing OpenSSH's ssh-keysign helper binary.

Keysign-keysign is used for host-based authentication and typically runs setuid root, opening the system's SSH host keys before dropping privileges to complete its work. While ssh-keysign-pwn doesn't hand over a full root shell by itself, the ability to exfiltrate host keys and password hashes is a powerful building block for lateral movement and long-term persistence.", 'With stolen SSH host keys, attackers can impersonate machines in host-based trust relationships. With access to the shadow password directory, they can attempt offline password cracking and reuse those credentials across systems.

Qualys has shown via a proof-of-concept (PoC) exploit that the bug can be triggered reliably in practice, not just in theory. The good news is the fix is in. Linux stable maintainer Greg Kroah-Hartman has already rolled out updates across multiple supported branches, including new releases such as 7.0.8, 6.18.31, 6.12.89, 6.6.139, 6.1.173, 5.15.207, and 5.10.256, all of which carry the ssh-keysign-pwn fix.', 'Linus Torvalds explained the problem exists because "We have one odd special case: ptrace_may_access() uses \'dumpable\' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS).

Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It\'s not what this flag was designed for, but it is what it is." By combining this logic error with the pidfd_getfd(2) system call, unprivileged users can reach into privileged processes that are in the middle of shutting down, grab their still-open file descriptors, and then read from files that would normally be accessible only to root.', "Until patched kernels are widely available, security teams do have some mitigation options, but each comes with trade-offs. One quick and dirty workaround is to tighten Linux's Yama ptrace restrictions by setting it with the command: This disables ptrace for non-root users and blocks the exploit, but it also breaks many debugging and monitoring workflows.

Disabling host-based SSH authentication and the ssh-keysign helper entirely on systems where they are not needed is another option, but this also stops SSH in its tracks, which for many Linux systems is a non-starter."]