Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: qualys (1 article)Clear

Qualys discloses 9-year-old Linux kernel ptrace flaw CVE-2026-46333 (ssh-keysign-pwn) - root via chage, ssh-keysign, pkexec, accounts-daemon

Qualys has disclosed a 9-year-old privilege management flaw in the Linux kernel that lets an unprivileged local user disclose /etc/shadow and host SSH private keys, then chain four different post-disclosure exploits (chage, ssh-keysign, pkexec, and accounts-daemon) to execute commands as root. The bug is tracked as CVE-2026-46333 and was introduced in November 2016 in the kernel's __ptrace_may_access() function. It affects default installs of Debian, Fedora, and Ubuntu. A proof-of-concept has been released and a public kernel commit landed. Qualys recommends rotating SSH host keys on any host that allowed untrusted local users before patching.

Check
Run uname -r to inventory kernels. Identify hosts that allow untrusted local users (shared dev boxes, multi-tenant CI runners, jump hosts). Search /var/log/auth.log for unusual chage/ssh-keysign/pkexec/accounts-daemon invocations.
Affected
Default installs of Debian, Fedora, and Ubuntu running Linux kernels that include the November 2016 __ptrace_may_access() change. Servers that allow local user shells are at highest risk.
Fix
Apply the latest distribution kernel updates. Temporary workaround: set kernel.yama.ptrace_scope = 2. Rotate SSH host keys and any credentials held by setuid processes on hosts that allowed untrusted local users.