{"id":251085,"date":"2026-05-21T04:02:00","date_gmt":"2026-05-21T08:02:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/21\/nine-year-old-linux-kernel-flaw-allow-attackers-to-exfiltrate-ssh-private-keys\/"},"modified":"2026-05-21T04:35:10","modified_gmt":"2026-05-21T08:35:10","slug":"nine-year-old-linux-kernel-flaw-allow-attackers-to-exfiltrate-ssh-private-keys","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/21\/nine-year-old-linux-kernel-flaw-allow-attackers-to-exfiltrate-ssh-private-keys\/","title":{"rendered":"Nine-Year-Old Linux Kernel Flaw Allow Attackers to Exfiltrate SSH Private Keys"},"content":{"rendered":"<p><a href=\"https:\/\/cyberpress.org\/nine-year-old-linux-kernel-flaw\/\">Nine-Year-Old Linux Kernel Flaw Allow Attackers to Exfiltrate SSH Private Keys<\/a><\/p>\n<p><a href=\"https:\/\/cyberpress.org\/nine-year-old-linux-kernel-flaw\/\">https:\/\/cyberpress.org\/nine-year-old-linux-kernel-flaw\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-21 04:02:00<\/a><\/p>\n<p>Source Domain: <a href=\"cyberpress.org\">cyberpress.org<\/a><\/p>\n<p>A critical logic flaw\u00a0disclosed\u00a0in the Linux kernel since November 2016 has been publicly disclosed by the\u00a0Qualys Threat Research Unit (TRU), enabling unprivileged local attackers to steal SSH host private keys, read password hashes from\u00a0\/etc\/shadow<\/p>\n<p>The <span style=\"margin: 0px;padding: 0px\">vulnera<\/span>bility\u00a0executes arbitrary commands as root on default installations of major Linux distributions.<\/p>\n<p>Tracked as\u00a0CVE-2026-46333\u00a0and assigned a high severity rating, the vulnerability affects all mainline Linux kernels from\u00a0v4.10-rc1 (November 2016)\u00a0through the present, representing nine years of exposure across enterprise fleets, cloud images, and container hosts. <\/p>\n<p>The flaw resides in the\u00a0__ptrace_may_access()\u00a0function within the Linux kernel\u2019s process tracing subsystem. <\/p>\n<h2 class=\"wp-block-heading\" id=\"h-nine-year-old-linux-kernel-flaw\"><strong>Nine-Year-Old Linux Kernel Flaw<\/strong><\/h2>\n<p>During the brief window when a privileged process drops its credentials before fully exiting, its\u00a0dumpable\u00a0flag which should block external access is bypassed, Qualys said.<\/p>\n<p>An attacker can exploit this race condition by pairing it with the\u00a0pidfd_getfd()\u00a0syscall (introduced in v5.6-rc1, January 2020) to capture open file descriptors and authenticated inter-process channels from the dying privileged process and reuse them under their own UID.<\/p>\n<p>The root cause is precise:\u00a0pidfd_getfd\u00a0enforces access via\u00a0__ptrace_may_access(target, PTRACE_MODE_ATTACH_REALCREDS), but the dumpable check is skipped when the target\u2019s memory map (mm) is NULL. <\/p>\n<p>At the default\u00a0ptrace_scope=1, YAMA LSM permits access because the attacker is the parent of the SUID child it spawned making the exploit reliable and repeatable.<\/p>\n<p>Qualys developed and validated working exploits targeting widely deployed set-uid binaries and root daemons:<\/p>\n<ul class=\"wp-block-list\">\n<li>chage\u00a0(set-uid-root \/ set-gid-shadow):\u00a0Discloses\u00a0\/etc\/shadow\u00a0on Debian 13, Ubuntu 24.04, Ubuntu 26.04, Fedora 43, and Fedora 44<\/li>\n<li>ssh-keysign\u00a0(set-uid-root):\u00a0Exfiltrates SSH host private keys under\u00a0\/etc\/ssh\/*_key\u00a0on Debian 13, Ubuntu 24.04, and Ubuntu&#8230;<\/li>\n<\/ul>\n<p><a href=\"https:\/\/cyberpress.org\/nine-year-old-linux-kernel-flaw\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Nine-Year-Old Linux Kernel Flaw Allow Attackers to Exfiltrate SSH Private Keys https:\/\/cyberpress.org\/nine-year-old-linux-kernel-flaw\/ Publish Date: 2026-05-21&#8230;<\/p>\n","protected":false},"author":1,"featured_media":251088,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/cyberpress.org\/wp-content\/uploads\/2026\/05\/Nine-Year-Old-Linux-Kernel-Flaw-Allow-Attackers-to-Exfiltrate-SSH-Private-Keys.png","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[90,91,31,97,89,71,79,27],"class_list":["post-251085","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-cve","tag-debian","tag-exploit","tag-fedora","tag-flaw","tag-linux","tag-ubuntu","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/251085"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=251085"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/251085\/revisions"}],"predecessor-version":[{"id":251089,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/251085\/revisions\/251089"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/251088"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=251085"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=251085"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=251085"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}