CVE-2026-46333 (ssh-keysign-pwn) Linux kernel vulnerability mitigations

An information disclosure security vulnerability in the Linux kernel was publicly disclosed on May 15th, 2026. The vulnerability was reported by Qualys and fixed in the mainline Linux kernel tree. A proof-of-concept exploit was published soon after public disclosure. The ID CVE-2026-46333 was assigned, but the vulnerability is also referred to as “ssh-keysign-pwn”, based on the proof-of-concept exploit.

The vulnerability is a race condition that can result in the disclosure of sensitive files to unprivileged local users. The exploit demonstrates this by disclosing the contents of the /etc/shadow file (containing hashed local user passwords) and OpenSSH server host private keys (which could facilitate SSH on-path attacks or impact SSH host-based authentication).

CVE-2026-46333 has been assigned a CVSS 3.1 score of 5.5 by CISA, corresponding to a severity of Medium. Canonical agrees with this assessment. The Ubuntu Priority assigned is High, due to the disclosure of sensitive local information to unprivileged users.

Linux kernel package updates are available that fix these vulnerabilities. This blog had been published on the day the vulnerability was publicly disclosed, describing mitigations that disable the  ability to exploit the vulnerability, at a cost of being unable to run debugging tools (such as gdb and gcore) as unprivileged users. The mitigations are no longer necessary if the Linux kernel updates are applied.

Impact

The vulnerability allows disclosure of files opened by a suid or sgid executable to an unprivileged attacker that invokes the suid or sgid executable. The race condition occurs as the privileged process exits, which requires the executable to keep the sensitive files open when exiting. During a short window, an unprivileged attacker can inspect an invoked privileged process using the ptrace() system call.

The demonstrated exploits include:

• The ability to read the contents of the /etc/shadow file via the sgid /usr/bin/chage. The file contains hashed local user passwords and would require an additional brute-force attack in order to retrieve the plain-text passwords. The algorithms used by Ubuntu are considered strong against such attacks, but require passwords that conform to current best practices.
• The ability to read the OpenSSH server host private keys via the suid /usr/lib/openssh/ssh-keysign. These are used by the OpenSSH server to prove its identity to clients and ensure that an on-path attack does not compromise SSH connections. Additionally, the OpenSSH host keys are used for host-based authentication and their disclosure could lead to user impersonation on deployments that use this uncommon authentication method.

On container deployments, the information that can be disclosed is strictly within the confines of the container and, generally, unlikely to be useful to an attacker.

Affected releases

In Ubuntu, the vulnerability fix is distributed through the Linux kernel image packages. Before the Linux kernel security updates were available, this blog post described a mitigation that can be applied in the instructions below. The mitigation will impact debuggers, such as gdb. The mitigation is no longer necessary if the Linux kernel updates are applied.

How to check if you are impacted

On your system, run the following command to get the version of the currently running kernel and compare the listed version to the corresponding table above.

uname -r

The list of installed kernel packages can be obtained using the following command:

dpkg -l 'linux-image*' | grep ^ii

Security updates

We recommend you upgrade all packages:

sudo apt update && sudo apt upgrade

If this is not possible and the Linux kernel is installed via a meta package, its update can be targeted directly:

sudo apt update
dpkg-query -W -f '${source:Package}\t${binary:Package}\n' | awk '$1 ~ "^linux-meta" { print $2 }' | xargs sudo apt install --only-upgrade

Once the security updates for the Linux kernel are installed, a reboot is required:

sudo reboot

The unattended-upgrades feature is enabled by default for Ubuntu 16.04 LTS onwards. This service:  

• Applies new security updates every 24 hours automatically.
• If you have this enabled, the patches above will be automatically applied within 24 hours of being available, but a reboot is still required.

Manual mitigation

Update: Linux kernel security updates that fix the vulnerability are now available. The mitigations described in this section are no longer needed and should only be applied if the Linux kernel cannot be updated. If you have previously configured the mitigations, please follow the instructions in the ‘Disabling the mitigation’ section below.

The mitigation disables the ability of unprivileged users to attach to other processes using the ptrace() system call. This is generally used by debuggers. The kernel.yama.ptrace_scope sysctl can be used to restrict the situations in which the affected system call can be used. On Ubuntu, the sysctl parameter defaults to the value 1, which imposes an ancestor-descendant relationship between the attacker’s process and the victim. The scope can be further restricted with one of the following values:

• 2: this disallows the use of the ptrace() system call for users without the CAP_SYS_PTRACE privilege, which is the case for most users. As such, an attacker would not normally have this capability,. Debugging tools that utilize ptrace, such as gdb and gcore, will be impacted for unprivileged users.
• 3: this disables attaching to processes using ptrace() altogether. Debugging tools that utilize ptrace, such as gdb and gcore, will be impacted for all users, including privileged ones.

Please note that if the sysctl is set to the value 3, it cannot be changed without a system reboot.

The following instructions change the currently running value of the kernel.yama.ptrace_scope sysctl and configure a drop-in file (/etc/sysctl.d/99-CVE-2026-46333.conf) to retain the value across reboots. We consider setting the to the value 2 to be a sufficient mitigation. If you wish to use the value 3, you can adjust the command accordingly.

echo kernel.yama.ptrace_scope=2 | sudo tee /etc/sysctl.d/99-CVE-2026-46333.conf
sudo sysctl -p /etc/sysctl.d/99-CVE-2026-46333.conf

Disabling the mitigation

Once kernel updates are installed, the mitigation can be removed:

sudo rm /etc/sysctl.d/99-CVE-2026-46333.conf
sudo sysctl kernel.yama.ptrace_scope=1

We recommend you do not set this parameter to the value 0, as doing so would disable the protections provided by the feature, as explained here.