Critical Linux Kernel Flaw (CVE‑2026‑46333) Enables Theft of SSH Host Keys and Password Hashes
What Happened – Researchers at Qualys disclosed CVE‑2026‑46333, a local information‑disclosure bug in the Linux kernel’s ptrace logic that can be abused via the OpenSSH ssh-keysign helper to read SSH host private keys and the /etc/shadow password file. A patch has been released, but most major distributions have not yet shipped it.
Why It Matters for TPRM –
- Unpatched Linux servers can leak credentials that compromise downstream customers and partners.
- Stolen SSH host keys enable attackers to impersonate trusted machines, facilitating lateral movement across supply‑chain environments.
- The vulnerability persists for years, indicating a large window of exposure for legacy systems.
Who Is Affected – Cloud‑hosting providers, SaaS platforms, managed service providers, and any third‑party that runs Linux‑based workloads (e.g., web servers, containers, CI/CD runners).
Recommended Actions – Verify patch availability for all Linux distributions in use, apply updates immediately, rotate SSH host keys and passwords, and monitor for anomalous ssh-keysign activity.
Technical Notes – The flaw resides in __ptrace_may_access() which skips “dumpable” checks after a process drops its memory mapping, creating a brief window for another process to steal file descriptors. Exploitation requires local access but can be leveraged for credential theft and persistent impersonation. Source: ZDNet Security