[{"data":1,"prerenderedAt":760},["ShallowReactive",2],{"switcher-blog-pareja":3,"art-cve-2026-46333-ssh-keysign-pwn-linux-kernel-en":6},{"en":4,"es":5},"\u002Fen\u002Fblog\u002Fcve-2026-46333-ssh-keysign-pwn-linux-kernel\u002F","\u002Fes\u002Fblog\u002Fcve-2026-46333-ssh-keysign-pwn-kernel-linux\u002F",{"id":7,"title":8,"author":9,"body":10,"date":745,"description":746,"extension":747,"image":748,"meta":749,"navigation":380,"pareja":750,"path":751,"seo":752,"stem":753,"tags":754,"__hash__":759},"blogEn\u002Fen\u002Fblog\u002Fcve-2026-46333-ssh-keysign-pwn-linux-kernel.md","CVE-2026-46333 'ssh-keysign-pwn': the Linux kernel flaw that hid for six years","Paco Cubel",{"type":11,"value":12,"toc":729},"minimark",[13,18,32,39,43,73,76,80,110,117,121,124,156,163,167,170,280,294,298,301,306,317,408,419,423,426,432,453,456,482,488,517,527,533,537,540,574,577,581,588,632,635,639,642,662,669,673,676,700,703,707,725],[14,15,17],"h2",{"id":16},"the-friday-phone-call","The Friday phone call",[19,20,21,22,26,27,31],"p",{},"Last Friday several clients pinged us with the same question: \"I've read about a critical kernel CVE — are we exposed?\". The short answer was ",[23,24,25],"strong",{},"yes, pretty much every Linux server in the world is",". The good news: the patch is out and rolls in a few minutes. The bad: until it's applied, a local user with no special privileges can quietly read root's SSH keys and ",[28,29,30],"code",{},"\u002Fetc\u002Fshadow"," without exploiting anything complicated.",[19,33,34,35,38],{},"This is the story of ",[23,36,37],{},"CVE-2026-46333",", nicknamed \"ssh-keysign-pwn\" by the researchers who published it. And of why a bug that landed in the kernel back in 2017 sat there for six years in plain sight without anyone raising a hand.",[14,40,42],{"id":41},"in-one-sentence","In one sentence",[19,44,45,46,49,50,53,54,57,58,61,62,65,66,69,70,72],{},"There's a race condition in the kernel's exit path (",[28,47,48],{},"do_exit","). For a narrow window while a privileged process is shutting down, the ",[28,51,52],{},"ptrace"," checks relax further than they should. A local user can sneak in during that instant with ",[28,55,56],{},"pidfd_getfd(2)"," and ",[23,59,60],{},"copy file descriptors out of a privileged process"," — for example ",[28,63,64],{},"ssh-keysign"," (which opens private SSH host keys) or ",[28,67,68],{},"chage"," (which opens ",[28,71,30],{},").",[19,74,75],{},"No root needed. No special capabilities. Just a binary that was already there.",[14,77,79],{"id":78},"whos-affected","Who's affected",[81,82,83,90,100],"ul",{},[84,85,86,89],"li",{},[23,87,88],{},"Distributions hit",": Ubuntu, Debian, Arch Linux, CentOS, AlmaLinux, RHEL, CloudLinux, Raspberry Pi OS. Effectively the whole server Linux ecosystem.",[84,91,92,95,96,99],{},[23,93,94],{},"Kernel versions",": the race was introduced in Linux v4.10-rc1 (January 2017, commit ",[28,97,98],{},"bfedb589","). Every kernel released since carries the crack.",[84,101,102,105,106,109],{},[23,103,104],{},"Who can pull it off",": any local user. It's not remotely exploitable on its own, but ",[23,107,108],{},"every scenario with unprivileged SSH users, shared hosting, mis-scoped containers or service accounts"," sits inside the blast radius.",[19,111,112,113,116],{},"The detail that makes it particularly ugly: there's a ",[23,114,115],{},"public proof of concept on GitHub"," from disclosure day. This isn't theoretical.",[14,118,120],{"id":119},"why-six-years-without-anyone-spotting-it","Why six years without anyone spotting it",[19,122,123],{},"Fair question: if the bug landed in 2017, why did it take this long to surface? Three reasons stacked on top of each other:",[125,126,127,141,147],"ol",{},[84,128,129,130,133,134,136,137,140],{},"The race window is ",[23,131,132],{},"very tight",": you need to coincide with the ",[28,135,48],{}," of a privileged process. The public PoC needs ",[23,138,139],{},"between 100 and 2000 tries"," to succeed.",[84,142,143,144,146],{},"The modern exploitation path leans on ",[28,145,56],{},", which only joined the kernel in 2020. Before that, the race was there but no public ergonomic primitive existed to abuse it.",[84,148,149,150,152,153,155],{},"SUID binaries that open genuinely sensitive secrets (",[28,151,64],{},", ",[28,154,68],{},") are a small, specific list. You have to know the exact targets to know what to ask for.",[19,157,158,159,162],{},"So: ",[23,160,161],{},"the flaw has been there since 2017, but only practically exploitable since 2020 — and nobody put the pieces together until this month",". A good lesson on why kernel auditing is hard even for the right people.",[14,164,166],{"id":165},"patched-kernel-versions-per-distro","Patched kernel versions per distro",[19,168,169],{},"The table below was cross-checked against each distro's official advisory. Numbers may bump as point releases land, but these are the minimum versions where the flaw is closed:",[171,172,173,186],"table",{},[174,175,176],"thead",{},[177,178,179,183],"tr",{},[180,181,182],"th",{},"Distribution",[180,184,185],{},"Patched kernel",[187,188,189,201,211,221,231,241,251,261,270],"tbody",{},[177,190,191,195],{},[192,193,194],"td",{},"Ubuntu 24.04 LTS",[192,196,197,200],{},[28,198,199],{},"6.8.0-58.61"," or later",[177,202,203,206],{},[192,204,205],{},"Ubuntu 22.04 LTS",[192,207,208,200],{},[28,209,210],{},"5.15.0-138.149",[177,212,213,216],{},[192,214,215],{},"Debian 13 (trixie)",[192,217,218,200],{},[28,219,220],{},"6.12.27-2",[177,222,223,226],{},[192,224,225],{},"Debian 12 (bookworm)",[192,227,228,200],{},[28,229,230],{},"6.1.140-1",[177,232,233,236],{},[192,234,235],{},"RHEL 9 \u002F AlmaLinux 9",[192,237,238],{},[28,239,240],{},"kernel-5.14.0-611.54.6.el9_7",[177,242,243,246],{},[192,244,245],{},"RHEL 8 \u002F AlmaLinux 8",[192,247,248],{},[28,249,250],{},"kernel-4.18.0-553.124.4.el8",[177,252,253,256],{},[192,254,255],{},"CloudLinux 10",[192,257,258],{},[28,259,260],{},"kernel-6.12.0-124.56.5.el10_1",[177,262,263,266],{},[192,264,265],{},"CloudLinux 9",[192,267,268],{},[28,269,240],{},[177,271,272,275],{},[192,273,274],{},"CloudLinux 8",[192,276,277],{},[28,278,279],{},"kernel-4.18.0-553.124.4.lve.el8",[281,282,283],"blockquote",{},[19,284,285,286,289,290,293],{},"If your server isn't on this list, check your running kernel with ",[28,287,288],{},"uname -r"," and read your distro's security advisory. ",[23,291,292],{},"Don't trust the \"official\" version number without checking the package date",": some distros keep the version string and only backport the fix.",[14,295,297],{"id":296},"what-you-should-be-doing-today","What you should be doing today",[19,299,300],{},"No fluff. This is what we've been running on client boxes these past few days.",[302,303,305],"h3",{"id":304},"_1-update-the-kernel-and-reboot","1. Update the kernel and reboot",[19,307,308,309,312,313,316],{},"It's the only proper fix. Yes, it needs a reboot (or ",[28,310,311],{},"kpatch","\u002F",[28,314,315],{},"kexec"," if you have live-patching in place).",[318,319,324],"pre",{"className":320,"code":321,"language":322,"meta":323,"style":323},"language-bash shiki shiki-themes github-light github-dark","# Debian \u002F Ubuntu\nsudo apt update && sudo apt install --only-upgrade linux-image-generic\nsudo reboot\n\n# RHEL \u002F AlmaLinux \u002F Rocky \u002F CloudLinux\nsudo dnf update kernel\nsudo reboot\n","bash","",[28,325,326,335,367,375,382,388,401],{"__ignoreMap":323},[327,328,331],"span",{"class":329,"line":330},"line",1,[327,332,334],{"class":333},"sJ8bj","# Debian \u002F Ubuntu\n",[327,336,338,342,346,349,353,355,357,360,364],{"class":329,"line":337},2,[327,339,341],{"class":340},"sScJk","sudo",[327,343,345],{"class":344},"sZZnC"," apt",[327,347,348],{"class":344}," update",[327,350,352],{"class":351},"sVt8B"," && ",[327,354,341],{"class":340},[327,356,345],{"class":344},[327,358,359],{"class":344}," install",[327,361,363],{"class":362},"sj4cs"," --only-upgrade",[327,365,366],{"class":344}," linux-image-generic\n",[327,368,370,372],{"class":329,"line":369},3,[327,371,341],{"class":340},[327,373,374],{"class":344}," reboot\n",[327,376,378],{"class":329,"line":377},4,[327,379,381],{"emptyLinePlaceholder":380},true,"\n",[327,383,385],{"class":329,"line":384},5,[327,386,387],{"class":333},"# RHEL \u002F AlmaLinux \u002F Rocky \u002F CloudLinux\n",[327,389,391,393,396,398],{"class":329,"line":390},6,[327,392,341],{"class":340},[327,394,395],{"class":344}," dnf",[327,397,348],{"class":344},[327,399,400],{"class":344}," kernel\n",[327,402,404,406],{"class":329,"line":403},7,[327,405,341],{"class":340},[327,407,374],{"class":344},[19,409,410,411,414,415,418],{},"Before rebooting, confirm grub points at the new kernel (",[28,412,413],{},"grubby --default-kernel"," on RHEL-family, ",[28,416,417],{},"dpkg --list | grep linux-image"," on Debian\u002FUbuntu). Booting back into the old kernel by mistake is annoyingly easy when you're working at 3am.",[302,420,422],{"id":421},"_2-temporary-mitigation-if-you-cant-reboot-yet","2. Temporary mitigation if you can't reboot yet",[19,424,425],{},"If the box can't take an immediate restart (production with end-user load, maintenance window already past), there are two stopgaps:",[19,427,428,431],{},[23,429,430],{},"Block user-controlled ptrace"," via sysctl. No reboot needed:",[318,433,435],{"className":320,"code":434,"language":322,"meta":323,"style":323},"sudo sysctl -w kernel.user_ptrace=0\n",[28,436,437],{"__ignoreMap":323},[327,438,439,441,444,447,450],{"class":329,"line":330},[327,440,341],{"class":340},[327,442,443],{"class":344}," sysctl",[327,445,446],{"class":362}," -w",[327,448,449],{"class":344}," kernel.user_ptrace=",[327,451,452],{"class":362},"0\n",[19,454,455],{},"To persist across reboots:",[318,457,459],{"className":320,"code":458,"language":322,"meta":323,"style":323},"echo \"kernel.user_ptrace=0\" | sudo tee \u002Fetc\u002Fsysctl.d\u002F99-cve-2026-46333.conf\n",[28,460,461],{"__ignoreMap":323},[327,462,463,466,469,473,476,479],{"class":329,"line":330},[327,464,465],{"class":362},"echo",[327,467,468],{"class":344}," \"kernel.user_ptrace=0\"",[327,470,472],{"class":471},"szBVR"," |",[327,474,475],{"class":340}," sudo",[327,477,478],{"class":344}," tee",[327,480,481],{"class":344}," \u002Fetc\u002Fsysctl.d\u002F99-cve-2026-46333.conf\n",[19,483,484,487],{},[23,485,486],{},"Drop the SUID bit on the sensitive binaries",", if you don't use them:",[318,489,491],{"className":320,"code":490,"language":322,"meta":323,"style":323},"sudo chmod u-s \u002Fusr\u002Flibexec\u002Fopenssh\u002Fssh-keysign\nsudo chmod u-s \u002Fusr\u002Fbin\u002Fchage\n",[28,492,493,506],{"__ignoreMap":323},[327,494,495,497,500,503],{"class":329,"line":330},[327,496,341],{"class":340},[327,498,499],{"class":344}," chmod",[327,501,502],{"class":344}," u-s",[327,504,505],{"class":344}," \u002Fusr\u002Flibexec\u002Fopenssh\u002Fssh-keysign\n",[327,507,508,510,512,514],{"class":329,"line":337},[327,509,341],{"class":340},[327,511,499],{"class":344},[327,513,502],{"class":344},[327,515,516],{"class":344}," \u002Fusr\u002Fbin\u002Fchage\n",[19,518,519,520,522,523,526],{},"Heads up: stripping SUID from ",[28,521,64],{}," breaks OpenSSH host-based authentication. Check ",[28,524,525],{},"lsattr"," and your SSH config before you do it.",[19,528,529,530],{},"These mitigations close the vector the public PoC uses. ",[23,531,532],{},"They do not let you skip the patch.",[302,534,536],{"id":535},"_3-audit-past-activity","3. Audit past activity",[19,538,539],{},"Assume any server with untrusted local users may have been touched between the disclosure date and the patch date. Look at:",[81,541,542,552,561],{},[84,543,544,547,548,551],{},[28,545,546],{},"\u002Fvar\u002Flog\u002Fauth.log"," (Debian\u002FUbuntu) or ",[28,549,550],{},"\u002Fvar\u002Flog\u002Fsecure"," (RHEL): unusual SSH logins.",[84,553,554,557,558,560],{},[28,555,556],{},"journalctl _COMM=ssh-keysign --since=\"2026-05-14\"",": executions of ",[28,559,64],{}," by users who shouldn't be running it.",[84,562,563,566,567,569,570,573],{},[28,564,565],{},"auditd"," if you have it enabled: ",[28,568,52],{}," or ",[28,571,572],{},"pidfd_getfd"," calls from unprivileged processes.",[19,575,576],{},"If anything looks off, assume compromise and rotate credentials.",[302,578,580],{"id":579},"_4-rotate-ssh-keys-if-you-have-doubts","4. Rotate SSH keys if you have doubts",[19,582,583,584,587],{},"On shared, multi-tenant or many-user servers, ",[23,585,586],{},"rotate host SSH keys after applying the patch",":",[318,589,591],{"className":320,"code":590,"language":322,"meta":323,"style":323},"sudo rm \u002Fetc\u002Fssh\u002Fssh_host_*\nsudo dpkg-reconfigure openssh-server   # Debian\u002FUbuntu\nsudo systemctl restart sshd\n",[28,592,593,606,619],{"__ignoreMap":323},[327,594,595,597,600,603],{"class":329,"line":330},[327,596,341],{"class":340},[327,598,599],{"class":344}," rm",[327,601,602],{"class":344}," \u002Fetc\u002Fssh\u002Fssh_host_",[327,604,605],{"class":362},"*\n",[327,607,608,610,613,616],{"class":329,"line":337},[327,609,341],{"class":340},[327,611,612],{"class":344}," dpkg-reconfigure",[327,614,615],{"class":344}," openssh-server",[327,617,618],{"class":333},"   # Debian\u002FUbuntu\n",[327,620,621,623,626,629],{"class":329,"line":369},[327,622,341],{"class":340},[327,624,625],{"class":344}," systemctl",[327,627,628],{"class":344}," restart",[327,630,631],{"class":344}," sshd\n",[19,633,634],{},"This invalidates any private-key copies that might have leaked. Clients will see a \"host key changed\" warning on first reconnect — warn them upfront.",[14,636,638],{"id":637},"what-we-did-this-week","What we did this week",[19,640,641],{},"At Atenea Systems we started rolling the patch out on Friday morning, the moment Debian and Ubuntu published signed kernels. Order was the usual one:",[125,643,644,650,656],{},[84,645,646,649],{},[23,647,648],{},"Servers with external users first",": shared hosting, client jails, SFTP-only boxes.",[84,651,652,655],{},[23,653,654],{},"Database servers next",": a compromise there escalates badly.",[84,657,658,661],{},[23,659,660],{},"Dedicated VPS last",": usually a single admin user, so the local attack surface is smaller.",[19,663,664,665,668],{},"As of today every server we manage is either running a patched kernel or, where the reboot window hasn't arrived yet, has ",[28,666,667],{},"kernel.user_ptrace=0"," set.",[14,670,672],{"id":671},"the-lesson-again","The lesson, again",[19,674,675],{},"Once a year a CVE like this lands and the same five gestures repeat:",[81,677,678,681,684,694,697],{},[84,679,680],{},"Check the kernel version.",[84,682,683],{},"Check when it last rebooted.",[84,685,686,687,312,690,693],{},"Run ",[28,688,689],{},"apt",[28,691,692],{},"dnf update",".",[84,695,696],{},"Reboot.",[84,698,699],{},"Verify.",[19,701,702],{},"A patching plan isn't something you do \"when there's time\". It's what separates the servers that survive a bad Friday from the ones that don't. If your current plan is \"whenever I remember\", let's talk.",[14,704,706],{"id":705},"references","References",[81,708,709,718],{},[84,710,711],{},[712,713,717],"a",{"href":714,"rel":715},"https:\u002F\u002Fcybersecuritynews.com\u002Flinux-kernel-vulnerability-ssh-keysign-pwn\u002F",[716],"nofollow","Critical Linux Kernel Flaw 'ssh-keysign-pwn' Exposes SSH Keys and Shadow Passwords — Cyber Security News",[84,719,720],{},[712,721,724],{"href":722,"rel":723},"https:\u002F\u002Fblog.cloudlinux.com\u002Fptrace-exit-race-cve-2026-46333-mitigation-and-kernel-update",[716],"CVE-2026-46333 Mitigation and Kernel Update on CloudLinux — CloudLinux Blog",[726,727,728],"style",{},"html pre.shiki code .sJ8bj, html code.shiki .sJ8bj{--shiki-default:#6A737D;--shiki-dark:#6A737D}html pre.shiki code .sScJk, html code.shiki .sScJk{--shiki-default:#6F42C1;--shiki-dark:#B392F0}html pre.shiki code .sZZnC, html code.shiki .sZZnC{--shiki-default:#032F62;--shiki-dark:#9ECBFF}html pre.shiki code .sVt8B, html code.shiki .sVt8B{--shiki-default:#24292E;--shiki-dark:#E1E4E8}html pre.shiki code .sj4cs, html code.shiki .sj4cs{--shiki-default:#005CC5;--shiki-dark:#79B8FF}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .szBVR, html code.shiki .szBVR{--shiki-default:#D73A49;--shiki-dark:#F97583}",{"title":323,"searchDepth":337,"depth":337,"links":730},[731,732,733,734,735,736,742,743,744],{"id":16,"depth":337,"text":17},{"id":41,"depth":337,"text":42},{"id":78,"depth":337,"text":79},{"id":119,"depth":337,"text":120},{"id":165,"depth":337,"text":166},{"id":296,"depth":337,"text":297,"children":737},[738,739,740,741],{"id":304,"depth":369,"text":305},{"id":421,"depth":369,"text":422},{"id":535,"depth":369,"text":536},{"id":579,"depth":369,"text":580},{"id":637,"depth":337,"text":638},{"id":671,"depth":337,"text":672},{"id":705,"depth":337,"text":706},"2026-05-19","A Linux kernel vulnerability disclosed on 15 May lets a local user steal SSH private keys and \u002Fetc\u002Fshadow without ever needing root. Here's what it is, who's affected and what you should be doing on your servers today.","md","\u002Fog\u002Fog-default.png",{},"cve-2026-46333-ssh-keysign-pwn-kernel-linux","\u002Fen\u002Fblog\u002Fcve-2026-46333-ssh-keysign-pwn-linux-kernel",{"title":8,"description":746},"en\u002Fblog\u002Fcve-2026-46333-ssh-keysign-pwn-linux-kernel",[755,756,757,758],"Security","Linux","Servers","CVE","p6dYQpU9cpu4QkDVOtzc5VdvAaqmf2-qENTesrCryys",1781154907987]