Security Advisory: Linux Kernel Local Privilege Escalation "ssh-keysign-pwn" (‌CVE-2026-46333)

dawn

Description

A vulnerability was found in the Linux kernel that allows an unprivileged local user to read sensitive files normally restricted to the root user. The flaw occurs during process exit, where a brief window allows an attacker to intercept file access from a privileged process before it fully terminates. Successful exploitation may lead to the disclosure of sensitive data such as SSH host private keys or /etc/shadow contents.

This is an Important flaw in the Linux kernel that allows a local unprivileged attacker to read root-owned files. This could lead to unauthorized access to sensitive information on affected Red Hat mainstream Linux systems.

Affected Products

Common Linux distributions, such as Red Hat, Debian, and Ubuntu.

Mitigation

Qualys has confirmed a simple mitigation: tightening Yama’s ptrace_scope. Setting it to 2 (admin-only attach) or 3 (no attach) blocks every public exploit we are aware of:

sudo sysctl -w kernel.yama.ptrace_scope=3
echo 'kernel.yama.ptrace_scope = 3' | sudo tee /etc/sysctl.d/99-ssh-keysign-pwn.conf

ptrace_scope=3 disables ptrace attach entirely, which can break debuggers (gdb attaching to a running process, strace -p, etc.). If you need ptrace for local debugging on the affected box, use 2 instead, which restricts attach to admins. Either value blocks the known PoCs because they rely on pidfd_getfd(2)’s access check, which routes through __ptrace_may_access().

This is a workaround, not a fix. Other paths to the same bug may exist. Install the patched kernel and reboot when you can.

References

https://access.redhat.com/security/cve/cve-2026-46333
https://security-tracker.debian.org/tracker/CVE-2026-46333
https://almalinux.org/blog/2026-05-15-ssh-keysign-pwn-cve-2026-46333/