The 4th Linux kernel flaw this month can lead to stolen SSH host keys

The 4th Linux kernel flaw this month can lead to stolen SSH host keys

Briefly

"Linux's latest kernel flaw doesn't have a fancy name; it's just called "ssh‑keysign‑pwn." It's the fourth high‑profile local security hole to hit Linux in just a few weeks. This one enables ordinary users to quietly read some of the most sensitive files on a system, including Secure Shell (SSH) host private keys and the shadow password file."

"The vulnerability gets its "ssh‑keysign‑pwn" nickname from one of the main exploitation paths: abusing OpenSSH's ssh-keysign helper binary. Keysign -keysign is used for host‑based authentication and typically runs setuid root, opening the system's SSH host keys before dropping privileges to complete its work."

"Security researchers at security company Qualys disclosed CVE‑2026‑46333, an information‑disclosure vulnerability in the Linux kernel's ptrace access check. Qualys claims it has existed in one form or another for about six years. The flaw sits in the __ptrace_may_access() logic that runs as processes exit. Under certain conditions, the kernel skips normal "dumpable" checks once a process has dropped its memory mapping. This opens a brief window for another process to steal its file descriptors."

"While ssh‑keysign‑pwn doesn't hand over a full root shell by itself, the ability to exfiltrate host keys and password hashes is a powerful building block for lateral movement and long‑term persistence. In addition, with stolen SSH host keys, attackers can impersonate machines in host‑based trust relationships. With access to the shadow password directory, they can attempt offline password cracking and reuse those credentials across systems."