{"id":251285,"date":"2026-05-21T08:00:00","date_gmt":"2026-05-21T12:00:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/21\/nine-year-old-linux-kernel-flaw-leaks-ssh-keys-and-password-hashes\/"},"modified":"2026-05-21T08:15:16","modified_gmt":"2026-05-21T12:15:16","slug":"nine-year-old-linux-kernel-flaw-leaks-ssh-keys-and-password-hashes","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/21\/nine-year-old-linux-kernel-flaw-leaks-ssh-keys-and-password-hashes\/","title":{"rendered":"Nine-Year-Old Linux Kernel Flaw Leaks SSH Keys and Password Hashes"},"content":{"rendered":"<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/linux-kernel-ptrace-flaw-ssh-keys\/\">Nine-Year-Old Linux Kernel Flaw Leaks SSH Keys and Password Hashes<\/a><\/p>\n<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/linux-kernel-ptrace-flaw-ssh-keys\/\">https:\/\/www.infosecurity-magazine.com\/news\/linux-kernel-ptrace-flaw-ssh-keys\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-21 08:00:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.infosecurity-magazine.com\">www.infosecurity-magazine.com<\/a><\/p>\n<p>A nine-year-old logic flaw in the Linux kernel&#8217;s process trace (ptrace) path has been discovered that could let unprivileged local users read sensitive files, including secure shell host (SSH) private keys and the system password hash, on default installations of Debian, Fedora and Ubuntu.<\/p>\n<p>According to new analysis from the Qualys Threat Research Unit (TRU), the vulnerability, tracked as CVE-2026-46333, has been present in mainline Linux since November 2016. Upstream patches and distribution updates are available, and working exploits are circulating publicly.<\/p>\n<p>The flaw is the fourth Linux kernel local security issue disclosed in three weeks, following Copy Fail, Dirty Frag and Fragnesia.<\/p>\n<h2>A Race in the Credential Drop<\/h2>\n<p>The bug sits in the kernel&#8217;s __ptrace_may_access() function. Qualys identified a narrow window in which a privileged process that is dropping its credentials remains reachable through ptrace operations, even though its dumpable flag should have closed that path.<\/p>\n<p>By pairing this window with the pidfd_getfd() syscall, an attacker can capture file descriptors from a setuid binary mid-exit and inherit its access to the underlying files. pidfd_getfd() was added to the kernel in January 2020, which broadened the practical reach of the older flaw.<\/p>\n<p>The proof-of-concept (PoC) developed by Qualys targets ssh-keysign, a setuid binary that briefly holds SSH host private keys open during authentication signing. A second variant targets chage, stealing the open handle to \/etc\/shadow and exposing every user&#8217;s password hash on the host.<\/p>\n<p>Read more on Linux kernel LPE flaws: New Fragnesia Flaw Hands Linux Local Users Root Access<\/p>\n<p>The Qualys\u00a0TRU also developed working exploits against pkexec and accounts-daemon, withholding all four publicly during the coordinated disclosure window.<\/p>\n<p>Saeed Abbasi, senior manager at the Qualys TRU, said the technique &#8220;turns any local shell into a path to root or to sensitive credential material.&#8221;<\/p>\n<h2><strong>Impact, Risk Profile and&#8230;<\/strong><\/h2>\n<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/linux-kernel-ptrace-flaw-ssh-keys\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Nine-Year-Old Linux Kernel Flaw Leaks SSH Keys and Password Hashes https:\/\/www.infosecurity-magazine.com\/news\/linux-kernel-ptrace-flaw-ssh-keys\/ Publish Date: 2026-05-21 08:00:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":251286,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/assets.infosecurity-magazine.com\/webpage\/og\/67ba1127-fba8-4ebd-bb10-5babc2913ff6.jpg","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[90,91,97,89,71,57,79,27],"class_list":["post-251285","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-cve","tag-debian","tag-fedora","tag-flaw","tag-linux","tag-security","tag-ubuntu","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/251285"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=251285"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/251285\/revisions"}],"predecessor-version":[{"id":251287,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/251285\/revisions\/251287"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/251286"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=251285"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=251285"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=251285"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}