ssh-keysign-pwn: A Nine-Year-Old Linux Kernel ptrace Flaw Leaks SSH Keys on Its Way to Root

CVE-2026-46333 — 'ssh-keysign-pwn' — is a nine-year-old logic flaw in the Linux kernel's ptrace path that lets an unprivileged local user reach root. Its defining feature is not the root access but the theft: the exploit captures file descriptors leaking SSH keys and shadow-file password hashes, so a patched kernel does not end the exposure — the stolen credentials do the rest.

FOSTER CITY, CALIFORNIA — On May 20, 2026, Qualys disclosed CVE-2026-46333 — nicknamed 'ssh-keysign-pwn' — a nine-year-old logic flaw in the Linux kernel's __ptrace_may_access() function that lets an unprivileged local user disclose sensitive files and execute arbitrary commands as root on default installations of several major distributions. The bug has been present in mainline Linux since November 2016, kernel version 4.10-rc1. It works by exploiting a narrow race-condition window in which a privileged process that is dropping its credentials remains reachable through ptrace-family operations; by pairing that window with the pidfd_getfd() syscall, added in kernel 5.6-rc1 in January 2020, an attacker can capture open file descriptors belonging to the privileged process — leaking SSH keys and shadow-file password hashes, and enabling root command execution. Qualys developed four working exploits, targeting chage, ssh-keysign, pkexec, and accounts-daemon, and notes that working exploits are circulating publicly. The flaw carries a CVSS score of 5.5 — a modest number that understates the real-world impact of full root from an unprivileged local account.

What Happened

How ssh-keysign-pwn Works

CVE-2026-46333 is a logic flaw in __ptrace_may_access(), the Linux kernel function that decides whether one process is allowed to use ptrace-family operations against another. The flaw opens a narrow race-condition window: when a privileged process is in the act of dropping its elevated credentials — stepping down from root to a lower-privilege state, a routine and ordinarily safe operation — it briefly remains reachable through ptrace as if it were already the lower-privilege identity, while it is in fact still privileged. An unprivileged local attacker who hits that window can pair it with the pidfd_getfd() syscall, a mechanism added to the kernel in January 2020 that lets one process obtain a copy of another process's open file descriptors. The combination lets the attacker capture the privileged process's open files. The bug has been in mainline Linux since November 2016 and affects default installations of several major distributions.

Why the Credential Theft Is the Real Story

What an attacker captures through this flaw is the point. The open file descriptors of a privileged process can include the most sensitive material on the host: SSH keys and the password hashes from the system's shadow file. That changes the nature of the vulnerability. A conventional local privilege-escalation flaw gives an attacker root on one machine — serious, but bounded by that machine. ssh-keysign-pwn gives root and hands over the credentials that enable movement beyond it. With harvested SSH keys, an attacker can authenticate to other hosts; with shadow-file hashes, they can crack passwords offline at leisure. The exploit is a privilege escalation that doubles as a credential-harvesting operation — and that is what makes it more dangerous than its modest CVSS 5.5 score suggests.

Four Working Exploits, Public, and a Note on Attribution

Qualys did not disclose CVE-2026-46333 as a theoretical weakness. The company built four working exploits, each targeting a different privileged binary or daemon present on default Linux systems: chage, ssh-keysign, pkexec, and accounts-daemon. Qualys also notes that working exploits are circulating publicly — meaning the gap between disclosure and weaponization is already closed. One point of accuracy is worth stating plainly: some secondary reporting has framed CVE-2026-46333 as an 'AI-discovered' flaw. That claim is unverified. Qualys, a human security research team, is the disclosure of record, and its blog is the authoritative account; the AI-discovery framing should not be propagated without confirmation.

Scope and Impact

CVE-2026-46333 is the latest in a striking 2026 run of long-dormant Linux kernel privilege-escalation flaws. The CyberSignal has tracked the 'Copy Fail' flaw, CVE-2026-31431, added to the CISA KEV catalog after affecting every Linux kernel since 2017, and Pack2TheRoot, a twelve-year-old cross-distribution LPE in the PackageKit daemon. ssh-keysign-pwn fits the pattern — a flaw that sat in mainline Linux for nine years before anyone surfaced it — but it is the most credential-damaging of the set. Copy Fail and Pack2TheRoot give an attacker root; ssh-keysign-pwn gives root and the keys to leave. The distinction matters for how defenders scope the incident: a patched kernel ends the first two, and it does not end this one.

Several things remain unconfirmed. The complete list of affected distributions and their exact vulnerable kernel ranges should be verified against each vendor's advisory — Ubuntu, Red Hat, Debian, SUSE, and CloudLinux among them. Qualys reported public exploits circulating but no confirmed in-the-wild attacks at disclosure, and whether CISA will add CVE-2026-46333 to its KEV catalog is not yet known. What is clear is the broader trend: long-lived flaws in core operating-system code are surfacing across platforms at a quickening pace. It sits alongside the PhantomRPC Windows RPC privilege-escalation technique and the cycle The CyberSignal documented when Microsoft's MDASH and Palo Alto's frontier-model scans turned up dozens of flaws in code that had shipped for years. Operating-system trust boundaries that held quietly for a decade are being re-examined, and they are not all holding.

Response and Attribution

For Linux system administrators and platform teams, the immediate action is to apply vendor kernel updates without delay — Ubuntu, Red Hat, Debian, SUSE, CloudLinux and others have published or are publishing patched kernels, and public exploits are already circulating. Where immediate kernel patching is not possible, prioritize multi-user systems and any host where untrusted or lower-trust users have local shell access, because that is the exploitation precondition. The step defenders most often skip is the one that matters most here: after patching, rotate credentials. The exploit steals SSH keys and shadow-file password hashes, so any host exploited before the patch has had those secrets compromised. Rotate SSH host and user keys, force password resets on affected hosts, and audit authorized_keys files and SSH access logs for unauthorized additions or logins.

For SOC and threat-hunting teams, the exploit has a detectable signature: ptrace-family system calls from unprivileged processes against the privileged binaries Qualys targeted — chage, ssh-keysign, pkexec, accounts-daemon — and pidfd_getfd() usage in unusual contexts, since legitimate use of that syscall is rare. Any unprivileged-to-root escalation on a multi-user Linux host should be treated as a CVE-2026-46333 hypothesis until ruled out. For incident-response teams, the credential-theft dimension rewrites the scope: if a Linux host is suspected compromised after disclosure, assume the SSH keys and password hashes on it are exfiltrated and size the lateral-movement blast radius accordingly. A patched kernel does not end that incident — credential rotation is mandatory remediation, not optional cleanup. For CISOs, the framing for leadership is precise: this is not just root on a box, it is root plus the keys to move sideways, and multi-tenant Linux infrastructure deserves elevated patch-SLA attention because of it.

The CyberSignal Analysis

Signal 01 — A Patched Kernel Does Not End This Incident

Most vulnerability response follows a familiar arc: a flaw is disclosed, a patch ships, the patch is applied, and the exposure closes. ssh-keysign-pwn breaks that arc at the last step. Because the exploit's defining capability is capturing SSH keys and shadow-file password hashes, a host that was exploited before patching has already surrendered the credentials an attacker needs to operate elsewhere — and those credentials remain valid after the kernel is fixed. The patch closes the door the attacker came through; it does nothing about the keys they took on the way out. For any Linux host that was multi-user and unpatched in the exposure window, remediation has two mandatory parts, not one: apply the kernel update, and rotate every credential the exploit could have reached. Treating the patch as the end of the job is exactly the mistake this vulnerability is built to punish.

Signal 02 — Long-Dormant OS Flaws Are Surfacing Faster Than the Decade That Hid Them

ssh-keysign-pwn sat in mainline Linux for nine years. Copy Fail reached back to 2017; Pack2TheRoot was twelve years old. The pattern across the 2026 cycle is consistent enough to be a planning assumption rather than a coincidence: core operating-system code that was trusted precisely because it was old and unremarkable is being re-examined, and the re-examination is finding things. Better tooling, sharper scrutiny, and the sheer accumulated value of OS-level primitives all contribute. The defender takeaway is not alarm but posture: the absence of recent CVEs in a kernel subsystem is not evidence that it is sound, only that no one has looked lately. Multi-tenant Linux infrastructure — where an unprivileged-to-root flaw is most exploitable — should carry a patch SLA that assumes the next long-dormant LPE is already written and waiting for its disclosure date.

Signal 03 — Cite the Research of Record, Not the Framing That Travels Fastest

There is a smaller but real lesson in how CVE-2026-46333 was reported. Some secondary outlets described it as 'AI-discovered.' Qualys — a human research team — is the disclosure of record, and its own blog is the authoritative account; the AI-discovery framing is unverified. The point is not that AI plays no role in modern vulnerability research; The CyberSignal has documented that it increasingly does, in pieces like the MDASH and frontier-model vulnerability-discovery cycle. The point is discipline: when a striking attribution travels faster than the primary source, the primary source still wins. For defenders and analysts, the practical habit is to trace a flaw back to the research team that disclosed it before repeating claims about how it was found — accuracy about provenance is part of accuracy about the vulnerability.

Sources