Qualys Discloses Linux CVE-2026-46333, Exposing SSH Keys on Kernels Released Before May 14
Updated
Updated · ZDNet · May 15
Qualys Discloses Linux CVE-2026-46333, Exposing SSH Keys on Kernels Released Before May 14
3 articles · Updated · ZDNet · May 15
Qualys said CVE-2026-46333 lets ordinary Linux users read highly sensitive files—including SSH host private keys and the shadow password file—making it the fourth major kernel flaw disclosed this month.
The bug stems from a ptrace access-check logic error during process exit; paired with pidfd_getfd(2), it can let unprivileged users grab file descriptors from privileged processes before they fully shut down.
Qualys reported a reliable proof-of-concept exploit, while maintainers have already shipped fixes in stable releases including 6.18.31, 6.12.89, 6.6.139, 6.1.173, 5.15.207 and 5.10.256.
All Linux kernels released before May 14, 2026 are affected, but most distributions had not yet pushed patched packages at publication time.
Until distro updates arrive, admins can raise Yama ptrace_scope to 2 or disable host-based SSH authentication and ssh-keysign—mitigations that block attack paths but can disrupt debugging, monitoring or SSH workflows.
The Linux kernel was patched today, so why is an exploit already threatening millions of servers worldwide?
Beyond stealing server keys, could this new Linux flaw allow malware to create undetectable backdoors in the cloud?