ssh-keysign-pwn
Race condition in the Linux kernel process exit sequence allows unprivileged users to steal file descriptors from exiting privileged processes, which can be used to read root-owned files.
Details
- Write-up
- https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn
- CVEs
- CVE-2026-46333 CVSS 5.5
- Author
- Qualys
- Introduced
- bfedb589252c
- Patch
- 31e62c2ebbfd
- Releases
- 5.10.256, 5.15.207, 6.1.173, 6.6.139, 6.12.89, 6.18.31, 7.0.8
Timeline
- Jann Horn flags the general FD-theft shape via
pidfd_getfd[2] - Fix committed by Linus Torvalds[1]
- CVE assigned, public disclosure[5]
- Stable backport releases published[3]
- Qualys published a detailed technical writeup covering four working exploit chains[7]
Mitigation
Disable ptrace entirely
This will break debuggers.
sysctl -w kernel.yama.ptrace_scope=3Sources
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=31e62c2ebbfd
- https://lore.kernel.org/all/20201016230915.1972840-1-jannh@google.com/
- https://lwn.net/ml/all/2026051554-CVE-2026-46333-662a%40gregkh/
- https://man.archlinux.org/man/ptrace.2.en#:~:text=With%20respect,LSM
- https://nvd.nist.gov/vuln/detail/CVE-2026-46333
- https://www.openwall.com/lists/oss-security/2026/05/15/5
- https://blog.qualys.com/vulnerabilities-threat-research/2026/05/20/cve-2026-46333-local-root-privilege-escalation-and-credential-disclosure-in-the-linux-kernel-ptrace-path