ctipilot.ch

CVE-2026-46333 ssh-keysign-pwn — 9-year ptrace race in Linux kernel __ptrace_may_access() (since v4.10-rc1, Nov 2016); four public Qualys exploits read /etc/shadow, exfiltrate SSH host keys, give root on default major distros

cve · CVE-2026-46333

Coverage timeline
1
first 2026-05-23 → last 2026-05-23
Briefs
1
1 distinct
Sources cited
6
5 hosts
Sections touched
1
deep_dive
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-05-23CTI Daily Brief — 2026-05-23
    deep_diveQualys TRU disclosure 2026-05-20. TOCTOU race in __ptrace_may_access() in kernel/ptrace.c since v4.10-rc1 (Nov 2016). Combined with pidfd_getfd() (v5.6-rc1) for fd-duplication primitive. Four working public exploits: chage→/etc/shadow read, ssh-keysign→SSH host key exfil, pkexec→root cmd, accounts-daemon→root cmd via D-Bus. CVSS 5.5 NVD; HIGH per Qualys. Confirmed on Debian 13, Ubuntu 24.04/26.04, Fedora 43/44. No ITW reported. Patches upstream 2026-05-14; distro packages from Debian/Fedora/RHEL/Ubuntu/SUSE/AlmaLinux/CloudLinux. Mitigation: kernel.yama.ptrace_scope=2. T1068, T1552.004.

Where this entity is cited

  • deep_dive1

Source distribution

  • blog.qualys.com2 (33%)
  • bugs.chromium.org1 (17%)
  • drupal.org1 (17%)
  • thehackernews.com1 (17%)
  • ubuntu.com1 (17%)

External references

NVD · cve.org · CISA KEV

All cited sources (6)

Items in briefs about CVE-2026-46333 ssh-keysign-pwn — 9-year ptrace race in Linux kernel __ptrace_may_access() (since v4.10-rc1, Nov 2016); four public Qualys exploits read /etc/shadow, exfiltrate SSH host keys, give root on default major distros

No parsed item heading or body matches this entity yet. Items match by exact CVE id (for CVE entities), by lead-segment substring of the title in the item heading or body, or by a distinctive anchor token from the title appearing in the item heading. Coverage that lives inside a broader section (no per-item heading) is captured by the Story timeline above.