Critical Linux Kernel Vulnerability 'ssh-keysign-pwn' Exposes SSH Keys and Passwords

Severity: High (Score: 74.0)

Sources: Cybersecuritynews, www.cve.org, nvd.nist.gov, Almalinux

Summary

A significant Linux kernel vulnerability, tracked as CVE-2026-46333 and nicknamed 'ssh-keysign-pwn', was disclosed on May 15, 2026. This flaw allows attackers to read sensitive data, including SSH private keys and password hashes, from affected systems. The vulnerability affects AlmaLinux 9 and 10, with confirmed public exploits available as of May 16, 2026. The underlying bug allows unprivileged processes to access open file descriptors from privileged processes that have dropped their memory mappings. AlmaLinux 8 is also affected, though not currently exploitable with existing proof-of-concept exploits. Patches for all affected versions are available in the testing repository, with production releases pending community verification. A mitigation strategy involves tightening Yama's ptrace_scope settings to block public exploits. Security teams are urged to apply the patches promptly. Key Points: • CVE-2026-46333 allows attackers to access SSH keys and password hashes. • Public exploits for the vulnerability became available on May 16, 2026. • Patches for AlmaLinux 8, 9, and 10 are in testing and will soon be released to production.

Key Entities

• Data Breach (attack_type)
• Zero-day Exploit (attack_type)
• CVE-2026-46333 (cve)
• CWE-200 - Exposure of Sensitive Information (cwe)
• CWE-269 - Improper Privilege Management (cwe)
• bugs.almalinux.org (domain)
• kernel.org (domain)
• [email protected] (email)
• T1003 - OS Credential Dumping (mitre_attack)
• T1068 - Exploitation for Privilege Escalation (mitre_attack)
• AlmaLinux (platform)
• Linux (platform)
• Gdb (tool)
• Strace (tool)
• Ssh-keysign-pwn (vulnerability)