A Linux kernel information — disclosure bug (CVE-2026-46333, dubbed ssh-keysign-pwn) can let unprivileged processes read

Security firm Qualys has disclosed CVE-2026-46333, nicknamed "ssh-keysign-pwn," a local Linux kernel information — disclosure vulnerability that can allow ordinary users to read highly sensitive files such as SSH host private keys and /etc/shadow. This is the fourth high-profile local Linux security hole disclosed in recent weeks, raising immediate operational concerns for multi — tenant and shared systems.

Qualys traces the bug to the kernel's ptrace access logic: the flaw resides in __ptrace_may_access(), code that runs as processes exit. According to the report, a logic error — present in one form or another for about six years — can cause the kernel to skip normal "dumpable" checks once a process drops its memory mapping. That creates a brief window in which another process can steal still — open file descriptors, and an attacker can combine this with the pidfd_getfd(2) system call to reach descriptors of privileged processes while they are shutting down.

A prominent exploitation path abuses OpenSSH's ssh-keysign helper binary. ssh-keysign runs setuid root to perform host-based authentication and opens system SSH host keys before dropping privileges; an attacker can target those already — open descriptors during the shutdown window. Qualys published a proof — of-concept exploit that reliably triggers the bug in practice. While the vulnerability does not itself yield an immediate root shell, exfiltrating host keys and password hashes enables machine impersonation, offline password cracking, credential reuse, lateral movement and long-term persistence.

Upstream fixes have been merged. Linus Torvalds described the issue as an odd special case of how the "dumpable" flag was being used in ptrace checks, and maintainers implemented corrections. Linux stable maintainer Greg Kroah — Hartman has rolled out updated releases that include the fix across multiple supported branches — examples cited include 7.0.8, 6.18.31, 6.12.89, 6.6.139, 6.1.173, 5.15.207 and 5.10.256 — and the advisory notes the flaw affects kernels released before May 14, 2026.

Distribution packaging and rollout lag behind upstream: the patch exists in upstream kernels but is not yet available in most distributor kernel packages. Until distributions publish updated kernels, affected systems remain exposed; some maintainers and community members advise avoiding nonessential use of unpatched machines and tightening access controls as temporary precautions while vendor packages are prepared and tested.

For builders and operators the immediate task is prioritized deployment: test and roll the fixed upstream kernel releases into staging and production as soon as they are packaged for your distribution. Because Qualys published a working PoC and the vulnerability directly targets SSH host keys and shadow hashes, assume exposed artifacts are high-risk and coordinate kernel upgrades, packaging and post-patch validation across infrastructure to reduce the window for exploitation.