CVE-2026-46333: ‘ssh-keysign-pwn’ Linux Kernel Flaw Exposes SSH Keys and Shadow Passwords — Public PoC Released

A critical vulnerability in the Linux kernel is raising urgent alarms across the security community. Tracked as CVE-2026-46333 and nicknamed “ssh-keysign-pwn,” the flaw allows a local unprivileged attacker to steal SSH private keys and read the contents of /etc/shadow — the file storing password hashes — on affected systems. With a public proof-of-concept exploit already available on GitHub, the risk of active exploitation is high.

The Vulnerability: A Race Condition in Kernel Access Control

The flaw originates in the Linux kernel’s ptrace access control logic, specifically inside the __ptrace_may_access() function. This mechanism is designed to restrict how one process can inspect or interact with another. A logic flaw tied to the kernel’s “dumpability” flag, however, creates a dangerous race condition during process shutdown.

When a privileged process — such as ssh-keysign or chage — is terminating, there is a brief window where its memory context has been cleared (the mm pointer becomes NULL) but its open file descriptors still exist. During this transition, an unprivileged attacker on the same system can exploit the vulnerability using the pidfd_getfd() system call to steal those file descriptors before they are closed.

This bypasses the kernel’s intended permission checks, granting unauthorized access to files that the privileged process had open — including root-owned SSH private keys and the shadow password file.

Real-World Consequences

Successful exploitation can lead to severe outcomes:

• SSH key theft: Attackers gain access to SSH host private keys stored at /etc/ssh/ssh_host_ecdsa_key, /etc/ssh/ssh_host_ed25519_key, and /etc/ssh/ssh_host_rsa_key. This enables impersonation of the compromised server and facilitates man-in-the-middle attacks until the keys are rotated.
• Password hash exposure: By targeting the chage utility, attackers can read /etc/shadow, exposing hashed passwords for offline cracking via tools like Hashcat or John the Ripper.
• Lateral movement: Because SSH keys are frequently reused across environments, a single compromised machine can become a stepping stone into broader cloud and enterprise infrastructure.

Affected Systems

The vulnerability affects most mainstream Linux distributions running kernels prior to the patch released on May 14, 2026. Confirmed affected distributions include:

• Ubuntu (all currently supported LTS versions)
• Debian (stable and testing)
• Arch Linux
• CentOS and RHEL derivatives
• Raspberry Pi OS

Security researchers estimate the flaw has been present in the kernel for over six years, meaning many long-standing deployments may be exposed without awareness.

Public PoC and Exploit Reliability

A working proof-of-concept exploit, named ssh-keysign-pwn, has been published on GitHub by researcher 0xdeadbeefnetwork. The PoC demonstrates exploitation on pre-patch kernels by repeatedly spawning attack processes that race against a privileged helper’s exit path, using pidfd_getfd to grab file descriptors to root-owned files before they are closed.

According to public analysis, the exploit typically succeeds within 100 to 2,000 attempts, making it practical on real systems without requiring any special hardware or advanced kernel knowledge. The race window is narrow but reliably triggerable under normal system load conditions.

Two exploitation paths are highlighted in the PoC:

• Targeting ssh-keysign to read SSH host private keys.
• Targeting chage -l <user> to read /etc/shadow via a similar file-descriptor theft technique.

Why This Flaw Persisted So Long

The root cause reflects a subtle design issue in how the kernel reuses the “dumpability” flag. Originally designed to control whether a process generates core dumps, this flag is also consulted in ptrace permission checks — even in scenarios where it no longer applies logically. During process teardown, the kernel releases memory before closing file descriptors, creating an unguarded window where the dumpability-based access checks are effectively bypassed.

Because the race condition requires local access to trigger, it was historically considered lower priority than remote vulnerabilities. The availability of a reliable public PoC has dramatically changed that calculus.

Mitigations and Recommended Actions

Organizations should treat this as a high-priority vulnerability and take immediate action:

• Patch now: Apply the latest kernel update that includes the fix for CVE-2026-46333. The patch was released on May 14, 2026.
• Rotate SSH keys: Any system that was unpatched and accessible to local users should be treated as potentially compromised. Rotate all SSH host keys and any user keys stored on affected servers.
• Audit shadow file access: Review logs for unusual access to /etc/shadow or unexpected use of chage by non-administrative users.
• Monitor ptrace and pidfd usage: Use audit rules or eBPF-based monitoring to flag suspicious use of ptrace, pidfd_open, and pidfd_getfd system calls.
• Restrict local access: Where feasible, limit the number of local user accounts on sensitive servers and enforce least-privilege principles.

Given that a reliable public exploit is already circulating, the window for safe remediation is short. Security teams managing Linux infrastructure — particularly cloud servers, CI/CD systems, and network devices running Linux kernels — should treat this as an emergency patch deployment.