9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros
Source: The Hacker News
Cybersecurity researchers have disclosed a nine‑year‑old vulnerability in the Linux kernel that allows an unprivileged local user to read sensitive files and execute arbitrary commands as root on default installations of major distributions such as Debian, Fedora, and Ubuntu. The flaw is tracked as CVE‑2026‑46333 (CVSS 5.5) and is codenamed ssh‑keysign‑pwn.
Vulnerability Overview
- Root cause – The issue resides in the kernel’s
__ptrace_may_access()function. It was introduced in November 2016 and enables a local attacker to bypass privilege checks. - Impact – An attacker can:
- Disclose
/etc/shadowand private SSH keys under/etc/ssh/*_key. - Execute arbitrary commands as root via four distinct exploit vectors targeting chage, ssh‑keysign, pkexec, and accounts‑daemon.
- Disclose
- Discovery – Qualys uncovered the flaw and released a proof‑of‑concept (PoC) exploit on GitHub:
Exploitation Details
Successful exploitation can be achieved through any of the following paths:
| Exploit Vector | Typical Target |
|---|---|
chage | Manipulates password aging utilities |
ssh-keysign | Leverages the ssh-keysign helper binary |
pkexec | Abuse of Polkit’s pkexec command |
accounts-daemon | Exploits D‑Bus account management service |
Each vector ultimately calls the vulnerable ptrace path, granting the attacker root privileges and access to credential material.
Mitigation and Recommendations
-
Update the kernel – Apply the latest kernel packages provided by your distribution as soon as they are available.
-
Temporary workaround – If an immediate update is not possible, raise the
kernel.yama.ptrace_scopesysctl to2:sudo sysctl -w kernel.yama.ptrace_scope=2 -
Credential rotation – Treat SSH host keys and any locally cached credentials as potentially compromised. Rotate host keys and review any privileged material that may have been resident in memory of set‑uid processes.
“On hosts that have allowed untrusted local users during the exposure window, treat SSH host keys and locally cached credentials as potentially disclosed,” – Qualys.
Related Exploit: PinTheft
A separate PoC, PinTheft, demonstrates a local privilege escalation on Arch Linux systems. It exploits a double‑free bug in the Reliable Datagram Sockets (RDS) zerocopy send path, which can be turned into a page‑cache overwrite via io_uring fixed buffers.
- Prerequisites – The target must have the RDS module loaded,
io_uringenabled, a readable SUID‑root binary, and x86_64 architecture support. - Technical summary – The bug resides in
rds_message_zcopy_from_user(). When a page fault occurs during a zerocopy send, the error path drops already‑pinned pages, and later cleanup drops them again, allowing an attacker to steal a reference to a user page and eventually achieve root.
For further technical details, see the original repository: .