9-Year-Old Linux Kernel Flaw Discovered — Root Access Possible on Debian, Ubuntu, and Fedora

-

 

Cybersecurity researchers at Qualys have uncovered a critical privilege escalation vulnerability in the Linux kernel that went undetected for nine years. Tracked as CVE-2026-46333 and codenamed "ssh-keysign-pwn", the flaw was quietly introduced into the kernel back in November 2016 and affects default installations of several of the most widely used Linux distributions, including Debian, Ubuntu, and Fedora.

What the Flaw Does

The vulnerability stems from improper privilege management in the kernel's __ptrace_may_access() function a core component that governs how one process can inspect or control another. An unprivileged local user who exploits this flaw can access highly sensitive files and escalate their privileges all the way to root, without requiring any special system configuration.

In practice, a successful attack can expose the contents of /etc/shadow the file containing hashed user passwords as well as private SSH host keys stored under /etc/ssh/. Beyond credential theft, the flaw can be weaponized to execute arbitrary commands as root through four separate exploit paths targeting the utilities chage, ssh-keysign, pkexec, and accounts-daemon.

As Saeed Abbasi, senior manager of Qualys' Threat Research Unit, put it, the flaw turns any local shell into a reliable path to root or to sensitive credential material.

Exploit Code Already Public

A proof-of-concept exploit was published shortly after a public kernel commit appeared, meaning the window between public awareness and potential active exploitation is already narrow. This is the latest in a string of Linux kernel privilege escalation vulnerabilities disclosed over the past month, following Copy Fail, Dirty Frag, and Fragnesia.

What to Do

The recommended course of action is to apply the latest kernel update provided by your Linux distribution as soon as possible. For systems where an immediate update is not feasible, a temporary workaround is available: raising the kernel parameter kernel.yama.ptrace_scope to a value of 2, which restricts ptrace access and limits the attack surface.

Qualys also advises that on any host that has allowed untrusted local users during the period of exposure, SSH host keys and locally cached credentials should be treated as potentially compromised. Rotating host keys and auditing any administrative material that may have resided in the memory of set-uid processes is strongly recommended.

Also: New "PinTheft" Exploit Targets Arch Linux Systems

In related news, a proof-of-concept for a separate local privilege escalation exploit dubbed PinTheft was also released this week, targeting Arch Linux systems. The exploit chains a double-free vulnerability in the Reliable Datagram Sockets (RDS) kernel module with io_uring fixed buffers to corrupt the page cache and achieve root access.

For PinTheft to work, the RDS module must be loaded on the target system, io_uring must be enabled, a readable SUID-root binary must be present, and the system must be running on x86_64 architecture. Organizations running Arch Linux should review their kernel module configurations and monitor for updates addressing this issue.

Resources

Comments

Post a Comment

Popular posts from this blog

Hackers Exploit MinIO Storage System Vulnerabilities to Compromise Servers

-
Image
An unknown threat actor has been observed weaponizing high-severity security flaws in the MinIO high-performance object storage system to achieve unauthorized code execution on affected servers. Cybersecurity and incident response firm Security Joes said the intrusion leveraged a publicly available exploit chain to backdoor the MinIO instance. The comprises  CVE-2023-28432  (CVSS score: 7.5) and  CVE-2023-28434  (CVSS score: 8.8), the former of which was added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog on April 21, 2023. The two vulnerabilities "possess the potential to expose sensitive information present within the compromised installation and facilitate remote code execution (RCE) on the host where the MinIO application is operational," Security Joes said in a report shared with The Hacker News. In the attack chain investigated by the company, the flaws are said to have be...
Read more

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more