New Linux kernel flaw risks SSH host keys, patches available

Qualys disclosed a Linux kernel flaw on May 15 that can let an unprivileged local user read root-owned files, including SSH host private keys, after maintainers had already landed an upstream fix. The issue is tracked as CVE-2026-46333 and affects the kernel’s `__ptrace_may_access` logic during process exit, according to Qualys, Red Hat and the National Vulnerability Database. (openwall.com) Public exploit code was posted the same day, and Linux stable maintainers included the fix in released kernels such as Linux 7.0.8 on May 15. (access.redhat.com) ### How can a local user get at SSH host keys without becoming root? (lists.debian.org) Red Hat said CVE-2026-46333 allows a low-privileged local user to access sensitive root-owned files, with examples including SSH host private keys and password hashes in `/etc/shadow`. The flaw exists because `__ptrace_may_access` can skip a permission check after a process’s memory is released during shutdown, Red Hat said. CloudLinux said the race appears between the point where a task’s memory descriptor is detached and the point where its file descriptor table is closed. In that window, an unprivileged process can use `pidfd_getfd(2)` to copy open file descriptors from an exiting privileged process, CloudLinux said. (openwall.com) ### Which programs are exposed in the public examples? CloudLinux said the public proof of concept targets SUID binaries that open root-owned files during normal execution and exit, naming `ssh-keysign` and `chage` as the primary examples. In the examples described by CloudLinux and Red Hat, `ssh-keysign` exposes a path to SSH host private keys and `chage` exposes a path to `/etc/shadow`. (access.redhat.com) Bugzilla entries linked by Red Hat described the issue as allowing an unprivileged user to read root-owned files on kernels built before commit `31e62c2ebbfd`. The entry said the bug was reported by Qualys and fixed by Linus Torvalds on May 13. (blog.cloudlinux.com) ### When was the fix published, and where did it land? Qualys told the oss-security mailing list on May 15 that the vulnerability it had reported to kernel security had already been fixed upstream. The mail linked the upstream fix to commit `31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a`. (blog.cloudlinux.com) Kernel.org’s changelog for Linux 7.0.8 shows that stable release, dated May 15, includes Linus Torvalds’ patch titled “ptrace: slightly saner ‘get_dumpable’ logic,” marked as upstream commit `31e62c2ebbfd`. Kernel.org lists Linux 7.0.8 as the latest stable release and 6.18.31 as a longterm release published the same day. (bugzilla.redhat.com) ### Are distributions already shipping advisories? Debian published DSA-6274-1 on May 15 covering CVE-2026-46333 among several Linux kernel vulnerabilities. Debian’s security tracker also lists DSA-6274-1, DSA-6275-1 and ELTS advisories tied to the CVE. (openwall.com) Red Hat published RHSB-2026-004 and rated the issue “Important,” saying a low-privileged local user could exploit the flaw to access sensitive root-owned files. Ubuntu’s public CVE pages did not surface in search results for CVE-2026-46333 as clearly as Debian and Red Hat, but distro-specific patch status pages are beginning to appear in community channels. (cdn.kernel.org) ### Is there any temporary mitigation if patching has to wait? Qualys said on May 15 that setting `/proc/sys/kernel/yama/ptrace_scope` to `2` or `3` protected against all exploits it knew about. Qualys added that other exploitation methods might exist in theory, and it presented the setting as a mitigation rather than a substitute for a kernel fix. (lists.debian.org) CloudLinux said patched kernels and live patches were in build or test as of May 15 across several streams. The company also said systems using live patching would receive the fix automatically once the live patch was published. (access.redhat.com) ### What should administrators do next? Kernel.org, Debian and Red Hat all point to the same immediate step: move to a fixed kernel build for the distribution in use. Because the disclosed impact includes SSH host private keys, administrators reviewing exposed multi-user systems may also need to rotate affected host keys after patching, based on their own incident-response policies and whether local compromise is suspected. (openwall.com) That rotation step is an operational inference from the stated exposure, not a vendor mandate in the cited advisories. Debian’s advisories DSA-6274-1 and DSA-6275-1, Red Hat’s RHSB-2026-004, and kernel.org release (kernel.org) (blog.cloudlinux.com)