ssh-keysign-pwn

CVE-2026-46333CVSS 5.5stable

Race condition in the Linux kernel process exit sequence allows unprivileged users to steal file descriptors from exiting privileged processes, which can be used to read root-owned files.

Details

Write-up
https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn
CVEs
CVE-2026-46333 CVSS 5.5
Author
Qualys
Introduced
bfedb589252c
Patch
31e62c2ebbfd
Releases
5.10.256, 5.15.207, 6.1.173, 6.6.139, 6.12.89, 6.18.31, 7.0.8

Timeline

  1. Jann Horn flags the general FD-theft shape via pidfd_getfd[2]
  2. Fix committed by Linus Torvalds[1]
  3. CVE assigned, public disclosure[5]
  4. Stable backport releases published[3]
  5. Qualys published a detailed technical writeup covering four working exploit chains[7]

Mitigation

Disable ptrace entirely

This will break debuggers.

sysctl -w kernel.yama.ptrace_scope=3

Restrict ptrace and disable unprivileged user namespaces

ptrace_scope=2 alone is bypassable by creating a new user namespace, so also disable unprivileged namespace creation.[6][4]

sysctl -w kernel.yama.ptrace_scope=2
sysctl -w user.max_user_namespaces=0

Sources

  1. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=31e62c2ebbfd
  2. https://lore.kernel.org/all/20201016230915.1972840-1-jannh@google.com/
  3. https://lwn.net/ml/all/2026051554-CVE-2026-46333-662a%40gregkh/
  4. https://man.archlinux.org/man/ptrace.2.en#:~:text=With%20respect,LSM
  5. https://nvd.nist.gov/vuln/detail/CVE-2026-46333
  6. https://www.openwall.com/lists/oss-security/2026/05/15/5
  7. https://blog.qualys.com/vulnerabilities-threat-research/2026/05/20/cve-2026-46333-local-root-privilege-escalation-and-credential-disclosure-in-the-linux-kernel-ptrace-path

History