CVE-2026-46333 — 'ssh-keysign-pwn': SSH key theft and root credentials via ptrace race condition

Qualys disclosed on 20 May 2026 a vulnerability in the Linux kernel under the reference CVE-2026-46333, nicknamed “ssh-keysign-pwn”. Present since November 2016, it allows any unprivileged local user to read the host’s SSH private keys and the /etc/shadow password database, and to execute arbitrary commands as root. Public exploits are circulating.

Technical details

The flaw lies in the __ptrace_may_access() function of the Linux kernel. It exploits a race condition during a process’s exit phase:

When a process terminates, there is a time window between the moment its memory descriptor (mm_struct) is detached and the moment its file descriptor table is closed. During this window, ptrace’s dumpable safeguard is skipped — the memory descriptor is already NULL, disabling the protection.

An unprivileged process can then call pidfd_getfd(2) — an interface introduced in Linux 5.6 — to copy open file descriptors from the exiting process, including those opened by SUID root binaries.

The privileged targets are:

• ssh-keysign: opens the host’s SSH private keys (/etc/ssh/*_key) during its normal exit path
• chage: opens the password database (/etc/shadow) during execution

A local attacker can thus read these files in plaintext and, by reinjecting the compromised keys, execute arbitrary commands as root.

• Type: CWE-362 — race condition / incorrect access logic in ptrace
• Vector: local, low complexity, no user interaction
• CVSS v3.1 score: 5.5 (Medium)
• Full vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
• Introduced: November 2016 (v4.10-rc1) — present for 9 years
• Discoverer: Qualys

Affected systems

All Linux kernels compiled between November 2016 and May 2026 are potentially vulnerable. Patches are available in the following versions:

Linux kernel ≥ 7.0.8
Linux kernel ≥ 6.18.31
Linux kernel ≥ 6.12.89
Linux kernel ≥ 6.6.139
Linux kernel ≥ 6.1.173
Linux kernel ≥ 5.15.207
Linux kernel ≥ 5.10.256

Remediation steps

1. Update the kernel (priority action)

# Debian / Ubuntu
apt update && apt full-upgrade

# RHEL / Rocky / AlmaLinux / Oracle Linux
dnf clean metadata && dnf upgrade

# Reboot after updating
reboot

2. Temporary mitigation

If the patch cannot be applied immediately, raise the ptrace restriction level:

sysctl -w kernel.yama.ptrace_scope=2

Note: value 2 restricts ptrace to processes holding CAP_SYS_PTRACE. This may affect some debugging tools (gdb, strace). Test in a pre-production environment before deploying to production.

To make the change persistent:

echo "kernel.yama.ptrace_scope = 2" >> /etc/sysctl.d/99-ptrace.conf
sysctl -p /etc/sysctl.d/99-ptrace.conf

3. SSH key rotation

If the patch cannot be applied without delay, consider a preventive rotation of SSH host keys on critical servers exposed to uncontrolled local users.

Context: fourth critical vulnerability in three weeks

CVE-2026-46333 is the fourth critical Linux kernel vulnerability disclosed in under a month, following CVE-2026-31431, Dirty Frag and Fragnesia. Unlike the previous three — which exploited page cache write primitives — ssh-keysign-pwn is a race condition in the ptrace subsystem, an entirely different vulnerability class.

Heavy Mind managed IT clients

Servers under a Heavy Mind managed IT contract received immediate attention. Patches have been deployed across all affected environments — no action required on your end.

Not a managed IT client?

Heavy Mind can support you on this vulnerability — and beyond:

• Linux server audit: inventory of exposed kernels, ptrace configuration review and SUID binary analysis
• Patch deployment: controlled rollout with regression testing
• Secret rotation: assistance with SSH key rotation and /etc/shadow integrity verification
• Monitoring setup: proactive detection of future critical vulnerabilities across your server fleet

Sources: Qualys — CVE-2026-46333 · NVD CVE-2026-46333 · Ubuntu Security · Red Hat Security · AlmaLinux — ssh-keysign-pwn patches · The Hacker News