Contact us
Contact us

News

About

Home Crypto News Nine-year Linux kernel flaw lets local users gain root

Nine-year Linux kernel flaw lets local users gain root

Author Whitewallet Research
Posted: 21 May 2026, 08:43 CET 2 min read

A nine-year-old Linux kernel bug (CVE-2026-46333) lets unprivileged local users read /etc/shadow and SSH host keys and run commands as root on default Debian, Fedora and Ubuntu installs.

A nine-year-old Linux kernel vulnerability tracked as CVE-2026-46333 and assigned a CVSS score of 5.5 allows unprivileged local users to access sensitive files and gain root on default installations of Debian, Fedora and Ubuntu. Security firm Qualys disclosed the flaw, which it calls ssh-keysign-pwn, after a public kernel commit and the release of a proof-of-concept exploit.

Qualys traced the defect to improper privilege handling in the kernel function __ptrace_may_access(), a change introduced in November 2016. The company published technical details and an exploit analysis following the public code change and PoC release last week.

A successful exploit can reveal /etc/shadow and SSH host private keys under /etc/ssh/*_key. Qualys identified at least four exploit paths that lead to root execution by targeting chage, ssh-keysign, pkexec and accounts-daemon on default installations that have not been specifically hardened.

Qualys’ senior manager Saeed Abbasi described the primitive as “reliable and turns any local shell into a path to root or to sensitive credential material.”

The primary fix is to install the latest kernel updates provided by distribution vendors. For systems that cannot be updated immediately, setting kernel.yama.ptrace_scope to 2 via sysctl limits ptrace access and can reduce exposure. Hosts that allowed untrusted local users during the exposure period should treat SSH host keys and locally cached credentials as potentially disclosed and rotate keys and credentials as needed.

CVE-2026-46333 follows several recent Linux kernel disclosures, including defects known as Copy Fail, Dirty Frag and Fragnesia. A separate proof-of-concept called PinTheft demonstrates a local privilege escalation on Arch Linux when the Reliable Datagram Sockets (RDS) module is loaded, io_uring is enabled, a readable SUID-root binary is present, and x86_64 support is available. Researchers described PinTheft as stemming from an RDS zerocopy double-free that can be turned into a page-cache overwrite via io_uring fixed buffers.

System administrators should prioritize kernel updates from their distribution vendors, rotate SSH host keys for systems that allowed untrusted local users during the exposure window, and inspect any credentials that might have been resident in set-uid process memory during the exposure period.

Whitewallet Research
Author

Articles by this author

Malware in Pirated PC Games Steals Passwords and Crypto
Malware in Pirated PC Games Steals Passwords and Crypto
jun 8
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
jun 8
Custodial vs non-custodial wallet
Custodial vs non-custodial wallet
may 30
What is a crypto seed phrase
What is a crypto seed phrase
may 25
Seed phrase vs private key
Seed phrase vs private key
may 21

Latest News

MORE
Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

jun 12 2 min read
Coinbase Lets AI Agents Trade Inside User-Controlled Limits

Coinbase Lets AI Agents Trade Inside User-Controlled Limits

jun 12 2 min read
Hackers Impersonate ChatGPT, Claude and DeepSeek

Hackers Impersonate ChatGPT, Claude and DeepSeek

jun 11 2 min read
Delaware advances bill to ban crypto ATMs after scam surge

Delaware advances bill to ban crypto ATMs after scam surge

jun 11 2 min read
MORE