The Vulnerability Mechanism
A serious security flaw in the Linux kernel has been uncovered, allowing local attackers to access sensitive data including SSH private keys and password hashes. The vulnerability, named ssh-keysign-pwn, resides in the kernel’s ptrace access control logic. The bug creates a race condition in how the kernel handles the memory state of privileged processes as they shut down.
When a high privilege process like ssh-keysign terminates, there is a brief window where its memory context is cleared but its file descriptors remain open. An attacker can exploit this gap using the pidfd_getfd() system call to steal those file descriptors, effectively bypassing the security checks meant to prevent unauthorized access. The issue has existed for more than six years before being patched.
Impact and Scope
The consequences of exploitation are severe. Attackers can steal SSH private keys to impersonate users or systems, perform man in the middle attacks until keys are rotated, and gain read access to the /etc/shadow file containing password hashes for offline cracking. Because SSH keys are frequently reused across different systems, a single compromised machine can lead to broader network infiltration.
Most major Linux distributions are affected, including Ubuntu, Debian, Arch Linux, CentOS, and Raspberry Pi OS. Patches were released on May 14, 2026. Given the vulnerability’s long history, many long term deployments remain exposed until updated.
Source: Cyber Security News
