ssh-keysign-pwn

Race condition in the Linux kernel process exit sequence allows unprivileged users to steal file descriptors from exiting privileged processes, enabling theft of SSH host keys and /etc/shadow.

Details

Site

https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn

Discovered by

Qualys Security

Introduced

5.6

Fixed

31e62c2ebbfd

Timeline

1. 2020-10-16 Jann Horn flags the general FD-theft shape via pidfd_getfd^[1]
2. 2026-05-14 Fix committed by Linus Torvalds^[2]
3. 2026-05-14 CVE-2026-46333 assigned, public disclosure^[3]

Mitigation

Sources

1. https://lore.kernel.org/all/20201016230915.1972840-1-jannh@google.com/
2. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=31e62c2ebbfd
3. https://nvd.nist.gov/vuln/detail/CVE-2026-46333

History

• f1nn a May 16, 2026
• f1nn a May 16, 2026
• f1nn a May 16, 2026