New Linux Kernel Flaw Exposes SSH Host Keys in Latest Security Setback

Another High-Profile Linux Bug Lands

Linux administrators have another kernel issue to track, and this one reaches directly into some of the most sensitive material on a system. Qualys has disclosed CVE-2026-46333, an information-disclosure vulnerability in the Linux kernel that can allow ordinary users to read data they should never be able to access, including SSH host private keys and the shadow password file.

According to the supplied source text, the flaw has been nicknamed

ssh-keysign-pwn because one of the main exploitation paths involves OpenSSH’s

ssh-keysign helper binary. That helper is typically setuid root for host-based authentication, opens the system’s SSH host keys, and then drops privileges to complete its work. The issue is that an attacker may be able to intercept access during a narrow kernel-level window.

What the Vulnerability Is

Qualys says the bug sits in the Linux kernel’s

__ptrace_may_access() logic, specifically in checks that run as processes exit. Under certain conditions, the normal

dumpable checks can be skipped after a process has dropped its memory mapping. The result, the source says, is a brief opportunity for another process to steal file descriptors.

That may sound narrow, but the practical consequences are not. The source explicitly says attackers could exfiltrate SSH host keys and password hashes. Even without immediate full root compromise, that kind of access is a serious foothold.

Why SSH Host Keys Matter

SSH host private keys are not just local credentials. They help establish machine identity in trusted environments. If those keys are stolen, an attacker may be able to impersonate a legitimate machine in host-based trust relationships. That shifts the risk from one compromised box to broader lateral movement opportunities inside an environment.

The shadow password file presents a different but equally important problem. Once attackers obtain password hashes, they can attempt offline cracking and potentially reuse any recovered credentials on other systems. The source describes both outcomes as powerful building blocks for persistence and expansion.

The Timing Is Notable

This is described as the fourth high-profile local Linux security hole in only a few weeks. That sequence matters because it increases pressure on maintainers and operators alike. A single bug can be handled as routine maintenance. A cluster of kernel flaws changes the operational picture, especially for organizations that assume Linux’s security posture is static or self-managing.

Qualys also claims the flaw has existed in one form or another for about six years. If accurate, that would make the disclosure especially uncomfortable: a local weakness tied to core access logic, present long enough to affect multiple release generations and deployment environments.

Patch Available, Distribution Lag Remains

The good news is that a patch already exists. The bad news, according to the source, is that most Linux distributions had not yet made the fix broadly available at the time of publication. That gap is often where risk accumulates. Once a vulnerability is public, defenders race packaging timelines while attackers study proof-of-concept paths.

The article cites Linus Torvalds explaining that the problem stems from an odd special case in which

ptrace_may_access() uses

dumpable for checks that are otherwise independent of the memory map. That is a highly specific implementation issue, but it reinforces that the bug is not a vague hardening concern. It is a defined kernel logic flaw with an upstream fix.

What Operators Should Take Away

• CVE-2026-46333 is an information-disclosure vulnerability in Linux.
• Qualys says it can expose SSH host private keys and the shadow password file.
• A patch exists, but it was not yet available in most distributions when the source article was published.
• The flaw involves the kernel’s

  __ptrace_may_access() logic during process exit.

For administrators, this is the kind of issue that deserves immediate inventory work. Systems running unpatched kernels may not be remotely compromiseable from this bug alone, based on the supplied source, but local access is enough to turn it into a serious escalation aid.

The larger lesson is less about one nickname and more about cadence. Linux is in the middle of a visible security wake-up period, and operator discipline around patching, package availability, and local-user exposure matters more when kernel bugs begin arriving in clusters.

This article is based on reporting by ZDNET. Read the original article.