ssh-keysign-pwn: a 9 year old Linux kernel logic flaw hands you root
Qualys published CVE-2026-46333 on May 20, and the cleanest read on it is: an unprivileged shell on a vulnerable Linux host is enough to read /etc/shadow, steal SSH host private keys, or execute arbitrary commands as root through a hijacked D-Bus connection to systemd. Pick your favorite ending.
The race window
The flaw lives in the kernel's __ptrace_may_access() function. It has been there since v4.10-rc1, November 2016. The bug surfaces in a narrow window between two moments in a privileged process's exit sequence: the task's memory descriptor has already gone NULL, but the file descriptor table is still open. During that window, the kernel's ptrace access check skips its dumpable safeguard because the task's memory descriptor is already gone.
The pidfd_getfd(2) syscall, introduced in Linux 5.6 in 2020, lets a process copy open file descriptors out of another process. When an unprivileged process calls pidfd_getfd(2) during the exit race window, it can copy open descriptors out of the exiting privileged process, including file descriptors that point at /etc/shadow, /etc/ssh/*_key, or a live D-Bus connection to systemd.
The structural issue is the trust boundary intersection. __ptrace_may_access() was designed before pidfd_getfd(2) existed. When pidfd_getfd(2) shipped, it inherited the existing access check, which had a known dumpable safeguard. The safeguard fails during the exit race because the dumpable check depends on a task structure that has already been partially torn down.
Four chained exploits, four different roots
Qualys built four working exploits, each targeting a different privileged binary:
chage. Linux password expiry tool. Runs as root. Holds a file descriptor pointing at /etc/shadow during execution. Race the descriptor out, you read the shadow file.
ssh-keysign. OpenSSH helper that signs host based authentication challenges. Runs as root. Holds file descriptors pointing at SSH host private keys under /etc/ssh/. Race the descriptor out, you get the host private keys.
pkexec. PolicyKit privilege escalation tool. Runs as root. Holds open file descriptors during privilege transition.
accounts-daemon. systemd user account daemon. Holds a D-Bus connection to systemd as root. Race that connection's file descriptor out, you can issue arbitrary commands to systemd via the hijacked D-Bus session.
The exploits work on default installations of Debian, Fedora, Ubuntu, Red Hat, SUSE, AlmaLinux, and CloudLinux. The ssh-keysign-pwn codename comes from the SSH key theft chain, but the D-Bus to systemd chain is the most operationally significant because it gives the attacker root command execution without needing to crack any extracted hash.
The mitigation that actually closes it today
While distro patches land, the interim mitigation is a single sysctl:
kernel.yama.ptrace_scope = 2
Set this to 2 (admin only attach). It gates pidfd_getfd(2) behind the existing ptrace access check, which blocks all four public exploit chains. The default value on most distributions is 0 or 1; raising it to 2 closes the public exploitation path until the kernel patch lands.
This is a same day defender play. The sysctl takes effect immediately with sysctl -w kernel.yama.ptrace_scope=2. Persist it across reboots by adding the line to /etc/sysctl.d/.
Who needs to act today
Multi tenant Linux hosts. Container hosts running unprivileged user workloads. Shared CI/CD runners. Any system where an attacker might already hold a low privilege shell and only needs an elevation primitive to complete a kill chain.
Cloud instances with developer SSH access are also in scope, particularly when the developer pool extends beyond the system administrator pool. The exploit needs only a local shell; it does not need any remote attack surface beyond the SSH login.
Distro patches are landing now. Red Hat, SUSE, Debian, Fedora, AlmaLinux, and CloudLinux have all shipped or are shipping kernel updates. Verify your update channel is current, apply the patch, then reboot.
The structural read on the bug class
Two kernel hardening lessons sit underneath this CVE.
First, nine years of accumulated logic in the ptrace path was not fully audited against changes to neighboring syscalls. The dumpable safeguard worked correctly in 2016 against the syscalls that existed then. When pidfd_getfd(2) shipped in 2020, the new entry point inherited the old check without anyone re-auditing the trust boundary intersection.
Second, the exit race itself is a familiar class of kernel bug, and the mitigation surface area for race conditions in shared kernel state remains a recurring hardening gap. The Qualys research is unusually thorough about which race windows are exploitable and which are not, which makes the writeup worth reading even if you already patched.
For Tashkent regulated sector defenders running Linux at scale, this is the cleanest local-to-root primitive of 2026 so far. Treat any multi tenant Linux host as patch priority today, set the sysctl as the interim defense, and audit any host that might have run an unprivileged shell session in the trailing 30 days.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you need a Linux kernel hardening review for a multi tenant deployment.