Back

Linux Kernel Vulnerability Allows Unauthorized File Access by Unprivileged Users

Severity: High (Score: 74.0)

Sources: Foro3D, Heise.De

Published: 2026-05-17 · Updated: 2026-05-18

Keywords: linux, point, patches, ssh-keysign-pwn, flaw, users, several

Severity indicators: flaw

Summary

A critical vulnerability in the Linux kernel, identified as ssh-keysign-pwn, allows unprivileged users to read sensitive files owned by root, including SSH private keys and password files. The flaw exploits a race condition in the ptrace_may_access() function, which fails to restrict access adequately during process termination. Discovered by security researcher _SiCK and confirmed by Qualys, the vulnerability was addressed in Linux kernel version 7.0.8, released on May 15, 2026. The patch modifies the get_dumpable() logic to prevent unauthorized access without breaking existing functionalities. System administrators are advised to apply the patch promptly, as the vulnerability has not yet been assigned a CVE identifier. A workaround is available for immediate mitigation. The issue highlights ongoing security challenges within the Linux kernel. Key Points: • The ssh-keysign-pwn vulnerability allows unprivileged users to access root-owned files. • Linux kernel version 7.0.8 includes a patch that addresses this critical flaw. • System administrators are urged to apply the patch immediately to secure their systems.

Detailed Analysis

**Impact** Unprivileged local Linux users can escalate privileges to read sensitive root-owned files such as SSH private keys and the password file (/etc/shadow). This affects all Linux systems running vulnerable kernel versions prior to 7.0.8 and corresponding LTS branches, potentially impacting servers and endpoints globally across all sectors using Linux. Unauthorized access to these files risks credential theft, unauthorized access, and lateral movement within affected environments. **Technical Details** The vulnerability exploits a race condition in the Linux kernel’s ptrace_may_access() and get_dumpable() functions related to process termination and memory management. The flaw allows unprivileged users to read files opened by terminating root processes via ptrace, bypassing normal permission checks. The exploit, demonstrated by the ssh-keysign-pwn proof of concept, targets setuid root executables. No CVE identifier has been assigned yet. The attack occurs during the privilege escalation stage of the kill chain. No specific IOCs or malware tools were reported. **Recommended Response** Apply the Linux kernel update version 7.0.8 or corresponding patches for LTS branches immediately to remediate the vulnerability. Until patches are deployed, implement the mitigation by setting `echo 3 > /proc/sys/kernel/yama/ptrace_scope` to restrict ptrace access. Monitor for unusual ptrace activity and access attempts to sensitive files by non-root users. Maintain vigilance for any exploitation attempts targeting setuid root executables.

Source articles (2)

  • Linux Seven Point Zero Point Eight and LTS Patches Fix ssh-keysign-pwn Flaw — Foro3D · 2026-05-17
    The Linux kernel receives an urgent update with version 7.0.8, accompanied by patches for several LTS branches. The reason is to fix the ssh-keysign-pwn vulnerability, a flaw that allowed unprivileged…
  • Privilege escalation in Linux: Local users can read foreign files — Heise.De · 2026-05-15
    This is the fourth security vulnerability in just a few days that allows Linux users to escalate their privileges. A security researcher nicknamed _SiCK published several examples on Github that explo…

Timeline

  • 2026-05-15 — Linux kernel 7.0.8 released: The release includes a patch for the ssh-keysign-pwn vulnerability, fixing unauthorized file access issues.
  • 2026-05-15 — Vulnerability discovered by _SiCK: Security researcher _SiCK published exploits demonstrating the ssh-keysign-pwn flaw, prompting immediate attention.
  • 2026-05-17 — Article published on vulnerability details: Foro3D reports on the Linux kernel update and the nature of the ssh-keysign-pwn vulnerability.

Related entities

  • Zero-day Exploit (Attack Type)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • german.it (Domain)
  • T1003 - OS Credential Dumping (Mitre Attack)
  • Linux (Platform)
  • Ssh-keysign-pwn (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed