CVE-2026-46333: Race Condition Vulnerability in the Linux Kernel – ssh-keysign-pwn

A critical security flaw has been uncovered in the Linux kernel, a vulnerability researchers at Qualys have aptly named “ssh-keysign-pwn.” This flaw creates a dangerous window of opportunity for unprivileged local attackers to hijack sensitive file descriptors, potentially granting them unauthorized access to SSH private keys and the highly sensitive /etc/shadow file.

Formally tracked as CVE-2026-46333 and GHSA-pm8f-4p6p-6×53, this vulnerability has reportedly resided undetected within the kernel’s codebase for approximately six years. The discovery was officially published to the National Vulnerability Database on May 15, 2026.

Technical Analysis: The Logic Gap in __ptrace_may_access()

To understand the severity of this exploit, we have to look at the kernel’s process management logic. The vulnerability centers on a race condition within the __ptrace_may_access() function. This function serves as a gatekeeper, determining whether one process has the permission to inspect or trace another via the ptrace subsystem.

The root cause lies in a nuanced flaw in how the kernel handles “dumpability”—a state that determines if a process is permitted to generate a core dump. The exploit is triggered during the delicate process of a privileged process (such as ssh-keysign or chage) shutting down.

When a process begins its termination sequence via do_exit(), the kernel follows a specific teardown order. It first executes exit_mm(), which sets the process’s memory pointer (mm) to NULL. However, a critical temporal gap exists: while the memory map is gone, the process’s file descriptors (FDs) remain open until exit_files() is eventually invoked.

During this microscopic window of time, an attacker can leverage the pidfd_getfd() system call to “steal” those open file descriptors before the kernel can close them. Because ptrace_may_access() evaluates dumpability status even for threads that no longer possess an active memory map, the kernel fails to enforce the necessary CAP_SYS_PTRACE capability check. This oversight allows a standard, unprivileged user to bypass security boundaries without needing elevated permissions.

Security Implications and Real-World Risk

The implications of this race condition are catastrophic for system integrity. By successfully hijacking file descriptors from a privileged utility like ssh-keysign, an attacker can gain direct read access to the host’s SSH private keys. This capability facilitates sophisticated impersonation attacks and Man-in-the-Middle (MitM) interceptions that can remain undetected until the compromised keys are rotated.

Furthermore, the vulnerability extends to /etc/shadow. By capturing the file descriptor for this file, an attacker can extract hashed user passwords, facilitating high-speed offline brute-force attacks to compromise every user account on the host.

The barrier to entry for this attack has been significantly lowered following the public release of a Proof-of-Concept (PoC) exploit, currently hosted at github.com/0xdeadbeefnetwork/ssh-keysign-pwn.

Affected Distributions and Remediation

The vulnerability affects all Linux kernel versions released prior to commit 31e62c2ebbfd (merged May 14, 2026). This wide-reaching flaw impacts major distributions including Ubuntu, Debian, Arch Linux, CentOS, and Raspberry Pi OS.

Immediate Action Required

System administrators should treat this as a high-priority patching event. The Linux kernel maintainers have deployed fixes across all stable branches. You should apply kernel updates immediately via your distribution’s package manager.

Mitigation Strategies:

  • Patching: Update to the latest kernel version containing the fix.
  • Access Control: Until patches are applied, strictly limit local user access to sensitive production systems.
  • Hardening: Audit and restrict ptrace permissions through security modules like SELinux or AppArmor to reduce the exploitation surface.

The official patch addresses the logic gap by ensuring that threads without an active memory map utilize a cached “last dumpability” value. This change ensures that any attempt to override this behavior explicitly requires the CAP_SYS_PTRACE capability, effectively closing the race window.

Related Articles

Back to top button