The 4th Linux kernel flaw this month can lead to stolen SSH host keys
The 4th Linux kernel flaw this month can lead to stolen SSH host keys
Publish Date: 2026-05-15 16:41:00
Source Domain: www.zdnet.com
ismagilov/iStock/Getty Images Plus
Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- Another day, another Linux bug.
- There is a patch out now.
- However, it’s not available yet in most distros.
Linux’s latest kernel flaw doesn’t have a fancy name; it’s just called “ssh‑keysign‑pwn.” It’s the fourth high‑profile local security hole to hit Linux in just a few weeks. This one enables ordinary users to quietly read some of the most sensitive files on a system, including Secure Shell (SSH) host private keys and the shadow password file.
The vulnerability gets its “ssh‑keysign‑pwn” nickname from one of the main exploitation paths: abusing OpenSSH’s ssh-keysign helper binary. Keysign -keysign is used for host‑based authentication and typically runs setuid root, opening the system’s SSH host keys before dropping privileges to complete its work.
Also: The third major Linux kernel flaw in two weeks has been found – thanks to AI
Just what we needed. Another annoying and potentially dangerous Linux bug.
The flaw explained
Security researchers at security company Qualys disclosed CVE‑2026‑46333, an information‑disclosure vulnerability in the Linux kernel’s ptrace access check. Qualys claims it has existed in one form or another for about six years.
The flaw sits in the __ptrace_may_access() logic that runs as processes exit. Under certain conditions, the kernel skips normal “dumpable” checks once a process has dropped its memory mapping. This opens a brief window for another process to steal its file descriptors.
While ssh‑keysign‑pwn doesn’t hand over a full root shell by itself, the ability to exfiltrate host keys and password hashes is a powerful building block for lateral movement and long‑term persistence. In addition, with stolen SSH host keys, attackers can impersonate machines in host‑based trust relationships. With access to the shadow password directory, they can attempt offline password cracking and reuse those…
