Nine-Year-Old Linux Kernel Flaw Allow Attackers to Exfiltrate SSH Private Keys
Nine-Year-Old Linux Kernel Flaw Allow Attackers to Exfiltrate SSH Private Keys
https://cyberpress.org/nine-year-old-linux-kernel-flaw/
Publish Date: 2026-05-21 04:02:00
Source Domain: cyberpress.org
A critical logic flaw disclosed in the Linux kernel since November 2016 has been publicly disclosed by the Qualys Threat Research Unit (TRU), enabling unprivileged local attackers to steal SSH host private keys, read password hashes from /etc/shadow
The vulnerability executes arbitrary commands as root on default installations of major Linux distributions.
Tracked as CVE-2026-46333 and assigned a high severity rating, the vulnerability affects all mainline Linux kernels from v4.10-rc1 (November 2016) through the present, representing nine years of exposure across enterprise fleets, cloud images, and container hosts.
The flaw resides in the __ptrace_may_access() function within the Linux kernel’s process tracing subsystem.
Nine-Year-Old Linux Kernel Flaw
During the brief window when a privileged process drops its credentials before fully exiting, its dumpable flag which should block external access is bypassed, Qualys said.
An attacker can exploit this race condition by pairing it with the pidfd_getfd() syscall (introduced in v5.6-rc1, January 2020) to capture open file descriptors and authenticated inter-process channels from the dying privileged process and reuse them under their own UID.
The root cause is precise: pidfd_getfd enforces access via __ptrace_may_access(target, PTRACE_MODE_ATTACH_REALCREDS), but the dumpable check is skipped when the target’s memory map (mm) is NULL.
At the default ptrace_scope=1, YAMA LSM permits access because the attacker is the parent of the SUID child it spawned making the exploit reliable and repeatable.
Qualys developed and validated working exploits targeting widely deployed set-uid binaries and root daemons:
- chage (set-uid-root / set-gid-shadow): Discloses /etc/shadow on Debian 13, Ubuntu 24.04, Ubuntu 26.04, Fedora 43, and Fedora 44
- ssh-keysign (set-uid-root): Exfiltrates SSH host private keys under /etc/ssh/*_key on Debian 13, Ubuntu 24.04, and Ubuntu…
