Linux Kernel Flaw ssh-keysign-pwn Steals SSH Keys, Shadow

Added: 2026-05-22

[00:00:00]Fourth Linux kernel bug in 3 weeks dropped on May 14th. Qualys disclosed it nicknamed SSH key sign pone after one of the two public exploits. And this one breaks the pattern. It doesn't get the attacker a root shell. Instead, it steals SSH host private keys and the file that stores every user's password hash.

[00:00:22]Most Linux services that need brief admin access are SUID helpers. Small programs marked so they run as root no matter who launches them. They do their job, drop privileges, and exit. SSH key sign is one. It opens the SSH host private keys, the keys that identify your server to anyone connecting to it.

[00:00:44]Another is change, which opens /etc/shadow, the file holding everyone's password hashes.

[00:00:52]Both are root owned. You should not be able to read either as a normal user.

[00:00:57]During process shutdown, the Linux kernel tears things down in stages.

[00:01:02]First, it releases the process's memory.

[00:01:05]A moment later, it closes the open files. There's a brief window in between where the process is half dead. Its memory is gone, but the files it opened earlier, including the root owned ones, are still live. The kernel has a permission check that decides whether one process can pry into another.

[00:01:26]That check has a logic bug going back to 2020.

[00:01:30]It skips its safety verification when the target's memory is already gone. So, during the half-dead window, an unprivileged user who launched the SUID helper can copy those open files out of the dying process.

[00:01:45]The user reads them with normal permissions.

[00:01:49]The race is narrow. Qualys's exploit spawns the SUID helper between 100 and 2,000 times to land a steal. But it does land. It's worth noting that Jan Horn at Google Project Zero proposed a fix for this class of bug back in October 2020.

[00:02:08]It never got merged. Six years later, Qualys turned the same conceptual flaw into a working credential heist. Linus pushed a fix the same day. If your distro hasn't shipped the patch kernel yet, you can shut the exploit down with a single sysctl.

[00:02:26]kernel.yama.ptrace_scope set to three. That tells the kernel to refuse process tracing requests entirely and the buggy code path never runs.