ssh-keysign-pwn (CVE-2026-46333): Nine-Year-Old Linux Kernel Privilege Flaw Lets Any Local User Read /etc/shadow, Steal SSH Host Keys, and Execute Commands as Root — PinTheft RDS Double-Free Also Drops Root on Arch Linux

What happened

Qualys has disclosed CVE-2026-46333, a Linux kernel privilege management vulnerability that went undetected for nine years before researchers identified it. The flaw carries a CVSS score of 5.5 and is codenamed ssh-keysign-pwn. Despite the relatively modest CVSS rating, the practical impact is significantly more severe: any unprivileged local user can exploit this vulnerability to read the contents of /etc/shadow, extract private host keys stored under /etc/ssh/*_key, and execute arbitrary commands as root on default installations of Debian, Fedora, and Ubuntu.

The vulnerability traces back to a kernel commit made in November 2016 and lives in the kernel's __ptrace_may_access() function, which is responsible for governing whether one process is permitted to inspect or interact with another. The flaw is a case of improper privilege management, meaning the function makes an incorrect determination about what an unprivileged caller is allowed to access. Saeed Abbasi, Senior Manager of Threat Research at Qualys, described the primitive plainly: it is reliable, and it converts any local shell into either a direct path to root or a route to sensitive credential material.

A proof-of-concept exploit was released last week, shortly after a public kernel commit disclosed the underlying issue. Qualys identified four distinct exploit chains, each targeting a different privileged binary on the system: chage (the password aging utility), ssh-keysign (the SSH host key signing helper), pkexec (the PolicyKit privilege elevation front-end), and accounts-daemon (the AccountsService system daemon). The diversity of these targets is notable because it means the vulnerability is not dependent on any single binary being present. A default installation of any of the three major affected distributions is almost certain to have at least one of these four binaries available and exploitable.

The disclosure follows a particularly dense sequence of Linux kernel local privilege escalation findings. CVE-2026-46333 is the most recent addition to the series that includes Copy Fail, Dirty Frag, and Fragnesia, all disclosed within the past month. Unlike those three, which shared the same page-cache write primitive across different subsystems, ssh-keysign-pwn is rooted in a fundamentally different area of the kernel and requires its own patch and its own mitigation effort.

The concurrent disclosure of PinTheft adds a second Linux LPE vector to this reporting window. PinTheft was developed by Zellic and the V12 security team and targets Arch Linux systems specifically. It exploits an RDS zerocopy double-free vulnerability in the Linux kernel's Reliable Datagram Sockets subsystem. The write-up from the researchers describes the core issue: rds_message_zcopy_from_user() pins user pages one at a time during a zerocopy send. If a later page faults, the error path releases the pages it already pinned, but the subsequent RDS message cleanup releases them a second time because the scatterlist entries and entry count remain live after the zerocopy notifier is cleared. Each failed zerocopy send can therefore steal one reference from the first page, and this double-free condition can be driven through io_uring fixed buffers into a page-cache overwrite primitive.

The PinTheft exploit has specific prerequisites: the Reliable Datagram Sockets module must be loaded on the target system, io_uring must be enabled, a readable SUID-root binary must be present, and x86_64 support is required for the included payload. These requirements narrow the effective target set considerably, but Arch Linux systems meeting those conditions are fully exposed to a reliable root path.

Who is affected

CVE-2026-46333 affects default installations of the following distributions:

1. Debian (all currently supported releases)
2. Fedora (current and recent releases)
3. Ubuntu (all currently supported LTS and interim releases)

The vulnerability requires an existing local unprivileged account. Remote attackers who have obtained any level of shell access through web application exploits, compromised CI/CD runners, phishing chains, or container escapes are immediately positioned to escalate to root on unpatched systems.

Qualys issued specific guidance for environments that had untrusted local users present during the exposure window: treat all SSH host keys and locally cached credentials as potentially disclosed. The concern is that the vulnerability was not just theoretically exploitable before the public PoC arrived. Given that the kernel commit introducing the flaw appeared publicly before the embargo could be coordinated around it, and the PoC followed shortly after, the window of unknown exposure is significant.

PinTheft's scope is narrower. It specifically targets Arch Linux systems where the RDS kernel module is loaded, io_uring is enabled, and a readable SUID-root binary exists. Arch users running default configurations who have not explicitly disabled these components are at risk.

Risk level

High

The CVSS score of 5.5 reflects the local access requirement and is technically accurate as a base score. It does not reflect the operational severity. The four exploit chains covering chage, ssh-keysign, pkexec, and accounts-daemon together mean that root access is achievable on essentially any default installation of the three affected major distributions. The side-channel impact of the credential disclosure primitives (reading /etc/shadow and SSH host private keys) is independently significant even without the code execution path: private keys extracted from a compromised system can be used to authenticate to other systems across the infrastructure, pivot laterally without triggering password-based detection, and impersonate the compromised host in certificate-based trust chains.

The nine-year exposure window is the most uncomfortable aspect of this disclosure. Every system built on a kernel shipped after November 2016 was potentially vulnerable before it ever reached a production environment. The question of whether this flaw was privately known and exploited before Qualys made their discovery cannot be answered with certainty.

What to do

Apply the latest kernel update released by your Linux distribution immediately. Kernel patches addressing CVE-2026-46333 have been released by the major distribution vendors. After applying the update, a reboot is required to ensure the patched kernel is the one running.

If patching cannot happen immediately, raise the ptrace scope setting to prevent the exploit from functioning:

sudo sysctl -w kernel.yama.ptrace_scope=2
echo "kernel.yama.ptrace_scope=2" | sudo tee -a /etc/sysctl.d/99-ptrace.conf

Beyond the immediate fix:

1. Apply kernel updates from your distribution's package repositories and reboot to activate the patched kernel
2. If you had untrusted local users on affected systems during the exposure window, rotate SSH host keys across those systems and audit any administrative credential material that was resident in memory of set-uid processes
3. For Arch Linux systems, evaluate whether the RDS module is required in your environment. If it is not, block it from loading: echo "install rds /bin/false" | sudo tee -a /etc/modprobe.d/disable-rds.conf
4. Review detection logic for privilege escalation activity involving chage, ssh-keysign, pkexec, and accounts-daemon from accounts that should not be invoking these binaries
5. Any environment where CI/CD runners, shared developer infrastructure, or multi-tenant compute resources are present should treat this as a high-priority patch given the immediate root path from any local shell

Analysis

CVE-2026-46333 reinforces a pattern that has become difficult to ignore over the past month: the Linux kernel contains a nontrivial number of privilege management flaws in foundational infrastructure code that was written years ago, audited against the threat models of the time, and then left stable. Copy Fail, Dirty Frag, and Fragnesia all shared the page-cache write primitive class. ssh-keysign-pwn is structurally different but follows the same pattern of an old commit quietly carrying an exploitable condition that nobody caught during the years of routine kernel maintenance.

The four exploit chains that Qualys identified are worth examining as an indicator of the research methodology. Discovering a ptrace access control flaw and then systematically mapping which setuid binaries can be weaponized through it, rather than stopping at a single proof of concept, represents a thorough exploitation research approach. The result is a vulnerability that is not dependent on any single binary being present, making it considerably more portable across distribution variants and system configurations.

The PinTheft disclosure adds to an already congested Linux LPE landscape. Zellic and V12 have now been responsible for multiple disclosures in this window, and the RDS subsystem has historically received less security scrutiny than higher-profile networking code. The double-free in the zerocopy send path is a fairly classic reference counting error in an error handling path, and those errors have a long track record of being exploitable precisely because they occur only under specific error conditions that are infrequently triggered during normal operation and therefore rarely audited.

For administrators managing large Linux fleets, the succession of five Linux local privilege escalation vulnerabilities disclosed in the past month, spanning algif_aead, xfrm-ESP, RxRPC, XFRM ESP-in-TCP, and now __ptrace_may_access together with the RDS subsystem, is not a coincidence. The research community has identified the Linux kernel LPE space as productive and is allocating significant effort to it. Organizations that do not have automated kernel patching in place and are relying on manual update cycles should seriously reconsider that posture in the current environment.