Linux kernel flaw leaks SSH keys

Qualys said on May 21 that a flaw in the Linux kernel’s `__ptrace_may_access` path can let an unprivileged local user read sensitive files, including SSH private keys and password hashes, and in some cases execute commands as root. The bug, tracked as CVE-2026-46333, has been present in mainline Linux since November 2016, according to the company’s advisory. Cisco said a day earlier that CVE-2026-20223 in Secure Workload can let an unauthenticated remote attacker access site resources with Site Admin privileges through crafted requests to internal REST API endpoints. Cisco said the issue affects Secure Workload Cluster Software in both SaaS and on-premises deployments and that there are no workarounds. (blog.qualys.com) Taken together, the disclosures land on two different trust boundaries. One sits on the host itself, where local access can expose secrets. The other sits in the control plane, where a management platform can become an administrative entry point if left unpatched. That framing is an inference from the two advisories and their described attack paths. (sec.cloudapps.cisco.com) ### How does the Linux bug actually expose SSH material? Qualys said the Linux issue is a logic flaw — an authorization bypass — in the kernel function that decides whether one process may inspect another. In its write-up, the company said the flaw can be abused on default installations of several major distributions to disclose sensitive files and escalate to root. (blog.qualys.com) Infosecurity Magazine, citing the Qualys research, reported that the exposed material can include SSH private keys and the system password hash. The issue was described as nine years old because the vulnerable logic dates to a November 2016 change in mainline Linux. The practical point for operators is narrow but concrete: if a local attacker reaches a box, secrets stored or reachable on that host may no longer be protected by the boundary administrators assumed was there. (blog.qualys.com) Qualys’ advisory says the flaw is local, not remote, so exploitation still requires code execution on the affected machine. (infosecurity-magazine.com) ### What exactly is broken in Cisco Secure Workload? Cisco said the Secure Workload flaw stems from insufficient validation and authentication when internal REST API endpoints are accessed. A successful exploit, the company said, can allow an attacker to read sensitive information and make configuration changes across tenant boundaries with the privileges of a Site Admin user. (blog.qualys.com) CSO Online reported that Cisco rated the bug at CVSS 10.0, the maximum severity score. SecurityWeek and BleepingComputer separately reported that the flaw allows unauthenticated attackers to gain Site Admin privileges, matching Cisco’s advisory. Cisco also said the issue affects internal APIs rather than the web-based management interface. (sec.cloudapps.cisco.com) That matters because it narrows where defenders should look during validation and patch planning, even though Cisco said no configuration-based workaround is available. (csoonline.com) ### Why do these two bugs belong in the same conversation? The shared theme is privileged trust. Qualys described a host-level flaw that can undermine assumptions about process isolation on Linux. Cisco described a management-plane flaw that can hand out administrative authority through API access failures. (sec.cloudapps.cisco.com) For teams running latency-sensitive or heavily segmented environments, that means the risk is not limited to obvious internet-facing software. The load-bearing components can be the operating system itself and the security tooling wrapped around it. That is an inference based on the products affected and the privileges described in the advisories. (blog.qualys.com) ### What should operators look for first? Cisco said fixed software is available and that upgrading is the remedy because no workaround addresses CVE-2026-20223. The company’s advisory directs customers to the fixed-release section for vulnerable and remediated versions. Qualys published detection and mitigation guidance for CVE-2026-46333 and said customers can use its tooling to identify affected assets. (blog.qualys.com) The advisory also lays out case studies showing how the kernel bug can be exercised against real-world components. (sec.cloudapps.cisco.com) The next step is in the vendors’ own bulletins. Cisco’s advisory lists fixed Secure Workload releases, and Qualys’ May 21 advisory links its mitigation and detection guidance for Linux systems. (sec.cloudapps.cisco.com) (blog.qualys.com)