From Normal User to Root: Inside the ssh-keysign-pwn Linux Kernel LPE (CVE‑2026‑46333)

Five‑Minute Overview of ssh-keysign-pwn (Beginner Friendly)

Core Logic (One‑sentence version)

When a Linux process exits, there is a brief window after its memory is cleared but before its file descriptors are closed; a normal‑privilege process sharing the same UID can steal the privileged process’s open file.

Analogy

Imagine a bank vault (privileged process) that has locked its safe (cleared memory) but not yet closed the vault door (file descriptor). An employee on the same floor (same UID) can reach in with a tool ( pidfd_getfd) and pull out the open drawer containing the SSH private key.

What can be obtained?

ssh-keysign program → /etc/ssh/ssh_host_*_key (extremely high severity)

chage program → /etc/shadow (extremely high severity)

Compromising the host private key enables undetectable man‑in‑the‑middle attacks; compromising /etc/shadow gives all password hashes for offline cracking.

Who is affected?

All Linux kernel versions released before 14 May 2026, including Ubuntu, Debian, Arch, CentOS, Raspberry Pi OS, and Red Hat Enterprise Linux 8/9/10.

Chapter 1: Detailed Vulnerability Mechanics

Process‑exit sequence

The kernel’s do_exit() first calls exit_mm() to release memory mappings, then exit_files() to close file descriptors. Between these calls there is a microsecond‑scale window where the process’s mm pointer is NULL but its file descriptors remain open.

During this window __ptrace_may_access() skips the dumpable check because mm is NULL, allowing an attacker to bypass the usual ptrace security.

Exploitation flow

Attacker (ordinary user, same UID) watches for a privileged process about to exit.

When the process is between exit_mm() and exit_files(), the attacker calls pidfd_getfd() to duplicate the open file descriptor.

The duplicated descriptor points to a file that normally requires root, now under the attacker’s control.

Why ssh-keysign is vulnerable

ssh-keysign

opens the host private key, then calls permanently_set_uid() to drop privileges before exiting. The window between opening the key and dropping privileges is exploitable. The same pattern exists in the chage command, which opens /etc/shadow before dropping privileges.

Why the bug persisted six years

In October 2020 Jann Horn reported the “ exit_mm() before exit_files() leads to stealable fds” pattern, but it was treated as a code‑quality issue, not a security bug. In May 2026 Qualys weaponized the pattern, prompting Linus Torvalds to merge a fix that adds a fallback dumpable check even when mm is NULL.

Chapter 2: May’s Four‑CVE Surge

In May 2026 the Linux kernel saw four local‑privilege‑escalation disclosures:

Copy Fail – CVE‑2026‑31431 (Xint Code, 29 Apr)

Dirty Frag – CVE‑2026‑43284 / CVE‑2026‑43500 (Hyunwoo Kim, 7 May)

Fragnesia – CVE‑2026‑46300 (William Bowling, 13 May)

ssh‑keysign‑pwn – CVE‑2026‑46333 (Qualys, 14 May)

The clustering is explained by overlapping patch cycles: fixes for earlier bugs unintentionally reopened edge cases, and multiple research teams were actively probing the kernel at the same time.

Chapter 3: Exploit Demonstration

ssh‑keysign‑pwn – stealing SSH host keys

The exploit monitors for the exiting ssh-keysign process, then invokes pidfd_getfd() in the microsecond window to obtain the descriptor for /etc/ssh/ssh_host_rsa_key. With the key the attacker can impersonate the server and launch transparent man‑in‑the‑middle attacks.

chage_pwn – stealing password hashes

The same technique applied to chage yields a descriptor for /etc/shadow. The attacker can then use tools such as hashcat or John the Ripper to crack the hashes offline and move laterally across the network.

Who is _SiCk?

_SiCk authored both public exploits and provided the proof‑of‑concept code that accelerated the vulnerability’s impact.

Chapter 4: Fixes and Mitigations

Upstream patch

Linus Torvalds merged a commit on 14 May 2026 that strengthens the dumpable check in __ptrace_may_access(), using the cached dumpable flag or requiring CAP_SYS_PTRACE even when mm is NULL.

Distribution kernels that include the fix include AlmaLinux 8 (kernel‑4.18.0‑553.124.4.el8_10), AlmaLinux 9 (kernel‑5.14.0‑611.54.6.el9_7), AlmaLinux 10 (kernel‑6.12.0‑124.56.5.el10_1), Linux 7.0.x (7.0.8), Linux 6.18.x (6.18.31), and Linux 6.12.x (6.12.89).

Temporary mitigation

On systems that cannot be rebooted, tighten the Yama ptrace_scope setting:

# Disable all ptrace attaches (most strict, may break debuggers)
sudo sysctl -w kernel.yama.ptrace_scope=3

# Or allow only root to ptrace (still permits local debugging)
sudo sysctl -w kernel.yama.ptrace_scope=2

# Persist the setting
echo 'kernel.yama.ptrace_scope = 3' | sudo tee /etc/sysctl.d/99-ssh-keysign-pwn.conf

Note that ptrace_scope=3 can interfere with gdb and similar tools.

Checking for exposure

# Show current kernel version
uname -r

# Show current ptrace_scope value
cat /proc/sys/kernel/yama/ptrace_scope

# Look for running exploit processes
ps aux | grep -E 'sshkeysign|chage_pwn'

Conclusion

The ssh‑keysign‑pwn chain demonstrates how a six‑year‑old race‑condition can be weaponized to steal both SSH host keys and password hashes from any Linux server where a normal user can observe a privileged process exiting. It also illustrates the accelerating pace of kernel disclosures in May 2026 and the broad attack surface presented by such bugs.