CVE-2026-46333 is a nine-year-old logic flaw in the Linux kernel that can let unprivileged local users read SSH private keys and the system password hash on default installations of Debian, Fedora and Ubuntu.
Qualys Threat Research Unit: discovery and timeline
New analysis from the Qualys Threat Research Unit (TRU) shows the bug has been present in mainline Linux since November 2016. Qualys assigned the issue CVE-2026-46333 and assembled working proof-of-concept code and exploits. The vendor wrote that upstream patches and distribution updates are available, and that working exploits are circulating publicly; Qualys also withheld four working exploits it developed during a coordinated disclosure window.
The technical root: __ptrace_may_access() and pidfd_getfd()
The flaw sits in the kernel function __ptrace_may_access(). Qualys identified a narrow timing window in which a privileged process that is dropping its credentials remains reachable through ptrace operations even though its dumpable flag should have closed that path. By pairing that narrow window with the pidfd_getfd() syscall, an attacker can capture file descriptors from a setuid binary mid-exit and inherit access to the underlying files. Qualys notes pidfd_getfd() was added to the kernel in January 2020, a change that broadened the practical reach of the older logic flaw.
Working exploits: ssh-keysign, chage, pkexec and accounts-daemon
Qualys’ proof-of-concept targets multiple real-world binaries. One variant targets ssh-keysign, a setuid helper that briefly holds SSH host private keys open during authentication signing; that exploit yields disclosure of host private keys. A second variant targets chage, stealing an open handle to /etc/shadow and exposing every user's password hash on the host. Qualys also developed working exploits against pkexec and accounts-daemon; those two variants allow execution of arbitrary commands as root, according to Qualys.
Saeed Abbasi, senior manager at the Qualys TRU, summarized the practical impact: "turns any local shell into a path to root or to sensitive credential material."
Affected distributions, relative severity, and recent context
Qualys reported the flaw affects default installations of Debian, Fedora and Ubuntu. The disclosure is the fourth Linux kernel local security issue publicized in three weeks, following Copy Fail, Dirty Frag and Fragnesia. The bug received a CVSS score of 5.5; Qualys argued, however, that the distinction between an unprivileged foothold and full host compromise "collapses in practice" because the disclosed files — private SSH host keys and /etc/shadow contents — are themselves sufficient to take over a system.
Mitigation: vendor updates and ptrace_scope as an interim measure
Administrators should apply the vendor kernel update for their distribution without delay, Qualys advised. As an interim mitigation, Ubuntu and Qualys both recommend raising kernel.yama.ptrace_scope to 2 via sysctl. That setting gates ptrace attachment behind CAP_SYS_PTRACE and blocks the public exploit path, at the cost of breaking unprivileged debugging workflows.
What this means for shared hosting operators, CI runners, and system administrators
- Shared hosting operators and multi-tenant CI providers: Qualys highlights the sharpest risk where unprivileged shells are routinely available to untrusted parties. Those environments should prioritize kernel updates and consider the ptrace_scope mitigation immediately.
- System administrators: patches and distribution updates are available; apply them without delay and be prepared for possible workflow disruption if ptrace_scope is raised to 2 (it will block unprivileged debugging).
- Operators of services relying on setuid helpers (for example, ssh-keysign, chage, pkexec, accounts-daemon): review which binaries are present and whether private keys or /etc/shadow are exposed by short-lived file descriptors, then deploy the vendor fixes and consider limiting local shell access where feasible.
The immediate path forward is concrete: install the upstream or distribution kernel updates and, where patching will take time, raise kernel.yama.ptrace_scope to 2 as recommended by Ubuntu and Qualys. The disclosure also underscores a practical lesson embedded in the facts: changes to the kernel surface area — here, a syscall added in 2020 — can broaden the reach of older logic errors introduced years earlier. For affected systems, the next step is not debate but remediation.
Original reporting: https://www.infosecurity-magazine.com/news/linux-kernel-ptrace-flaw-ssh-keys/




