Linux-Kernel-Schwachstelle bei Neunjährigen ermöglicht Angreifern Diebstahl von SSH-Schlüsseln

The flaw resides in the Linux kernel’s __ptrace_may_access( ) function, which governs whether one process can inspect or interact with another.

Due to a logic error introduced Linux kernel version 4.10-rc1 (November 2016), the function incorrectly permits access to privileged processes during a brief window when they are dropping credentials. with the pidfd_getfd() system call, attackers can duplicate file descriptors from privileged processes and reuse them under their own unprivileged context.

Linux Kernel Flaw Exposes SSH Keys This effectively bypasses standard permission checks and allows access to sensitive resources. Qualys demonstrated reliable exploitation across multiple default Linux distributions, including Debian 13, Ubuntu 24.04 and 26.04, and Fedora 43/44.

Sicherheitslage und Risiko

Four real-world attack scenarios were validated: ssh-keysign: Allows exfiltration of SSH host private keys stored under /etc/ssh/. change: Enables disclosure of password hashes from /etc/shadow. pkexec: Facilitates arbitrary command execution as root. accounts-daemon: Allows privilege escalation via D-Bus interactions.

Although classified as a local vulnerability, the impact is severe. Any attacker with a low-privileged shell, such as via SSH access, compromised service accounts, or CI/CD pipelines, can escalate to full root access. This effectively collapses the boundary between limited access and total system compromise.

The vulnerability stems from improper handling of the “dumpable” state in __ptrace_may_access(). When a target process exits, and its memory descriptor (mm) becomes NULL, the kernel skips critical security checks. Access control then falls back to the YAMA Linux Security Module.

Sicherheitslage und Risiko

Under the default kernel. yama.ptrace_scope = 1, YAMA permits access if the attacker is the parent process, which is often the exploitation case. This enables the attack chain. However, setting ptrace_scope = 2 enforces stricter checks requiring CAP_SYS_PTRACE, effectively blocking the exploit path.

Upstream patches were released May 14, 2026, shortly after responsible disclosure. Major Linux distributions, including Debian, Fedora, Red Hat, SUSE, AlmaLinux, and CloudLinux, have issued security updates. Administrators are strongly advised to: Apply the latest kernel updates immediately.

Rotate SSH host keys and sensitive credentials on potentially exposed systems. Audit systems for unauthorized privilege escalation activity. As an interim mitigation, systems can enforce: kernel.yama.ptrace_scope = 2 However, this setting may disrupt debugging tools such as gdb and strace, as well as certain container- or crash-reporting workflows.

With public exploits now circulating and the vulnerability affecting nearly a decade Linux systems, CVE-2026-46333 poses a critical risk that requires immediate attention across enterprise and cloud environments. Abi is Security Editor and fellow reporter with