Linux Kernel CVE-2026-46333: Nine-Year-Old ptrace Race Condition Leaks SSH Private Keys and Grants Root

Qualys Threat Research Unit published CVE-2026-46333 on 20 May — a race condition in the Linux kernel’s ptrace path that has been present in all major Linux distributions since kernel 4.8, introduced in 2016. The vulnerability allows any local user to escalate privileges to root. What distinguishes this disclosure from a standard kernel LPE is the secondary impact: successful exploitation also triggers credential disclosure, leaking /etc/shadow hashes and SSH host private keys to the attacker.

What Was Found

The vulnerability exists in the ptrace_attach() path, which implements the ptrace(2) system call used by debuggers and system tools. A time-of-check to time-of-use (TOCTOU) race condition in the credential-checking code allows a non-privileged attacker to attach to a SUID binary process at the moment the kernel transitions privilege levels, bypassing the permission check that should prevent non-root processes from attaching to elevated processes.

Qualys researchers developed four working exploit chains using SUID binaries found on all major Linux distributions:

• chage (change user password expiry)
• ssh-keysign (SSH key signing helper)
• pkexec (PolicyKit privilege escalation — ironic given this binary’s own history)
• accounts-daemon (GNOME AccountsService daemon)

Each exploit chain follows the same structure: race the ptrace attach, use ptrace memory read primitives to dump kernel data structures, and either escalate the calling process to root or exfiltrate credential material.

The credential exfiltration path is particularly significant. The ssh-keysign exploit chain reads the SSH daemon’s in-memory copies of host private keys. An attacker on a system running OpenSSH can silently exfiltrate the host private keys without leaving evidence in SSH logs, since no connection is made — only local memory is read.

Why It Matters

The nine-year presence of this flaw means any Linux system running kernel 4.8 or later that has not applied the patch from 20 May 2026 is vulnerable. The affected kernel range spans virtually the entire installed base of enterprise Linux: RHEL 8 and 9, Ubuntu 20.04 and 22.04 and 24.04, Debian 11 and 12, SUSE Linux Enterprise, Amazon Linux 2 and 2023, and all container runtimes based on these distributions.

For cloud workloads, the SSH key exfiltration path has immediate lateral movement implications. If an attacker has achieved any initial local code execution on a Linux instance — via web application exploit, container escape, or malicious package — CVE-2026-46333 provides a path to harvest SSH host keys and use them to move laterally within infrastructure where SSH host key verification is in place.

Recommended Actions

Immediate:

• Apply kernel security updates from your distribution’s security channel:
  • Ubuntu: apt update && apt upgrade linux-generic (USN-7091-1)
  • RHEL/CentOS: dnf update kernel (RHSA-2026:XXXX)
  • Debian: apt upgrade linux-image-amd64 (DSA-XXXX)
• Restart all affected systems after kernel update — this vulnerability requires a running kernel patch
• Rotate SSH host private keys on all Linux systems after patching, since compromise may have occurred without detection on systems exposed to untrusted local users or multi-tenant environments

Detection:

• Audit ptrace usage via auditctl -a always,exit -F arch=b64 -S ptrace -k ptrace_events
• Review audit logs for ptrace calls from non-debugger processes targeting SUID binary PIDs
• Review /var/log/auth.log for unexpected SSH authentication using host keys from internal infrastructure

Longer term:

• Where possible, disable ptrace for non-debugging use with kernel.yama.ptrace_scope = 2 in /etc/sysctl.conf — this requires debugger processes to explicitly be granted ptrace capability
• Audit SUID binaries using find / -perm -4000 -type f 2>/dev/null — minimise the SUID binary set to the minimum needed