An information disclosure security vulnerability in the Linux kernel was publicly disclosed on May 15th, 2026. The vulnerability was reported by Qualys and fixed in the mainline Linux kernel tree. A proof-of-concept exploit was published soon after public disclosure. The ID CVE-2026-46333 was assigned, but the vulnerability is also referred to as “ssh-keysign-pwn”, based on the proof-of-concept exploit.

The vulnerability is a race condition that can result in the disclosure of sensitive files to unprivileged local users. The exploit demonstrates this by disclosing the contents of the /etc/shadow file (containing hashed local user passwords) and OpenSSH server host private keys (which could facilitate SSH on-path attacks or impact SSH host-based authentication).

CVE-2026-46333 has been assigned a CVSS 3.1 score of 5.5 by CISA, corresponding to a severity of Medium. Canonical agrees with this assessment. The Ubuntu Priority assigned is High, due to the disclosure of sensitive local information to unprivileged users.

This post describes a mitigation that disables the ability to exploit the vulnerability, at a cost of being unable to run debugging tools (such as gdb and gcore) as unprivileged users.

Impact

The vulnerability allows disclosure of files opened by a suid or sgid executable to an unprivileged attacker that invokes the suid or sgid executable. The race condition occurs as the privileged process exits, which requires the executable to keep the sensitive files open when exiting. During a short window, an unprivileged attacker can inspect an invoked privileged process using the ptrace() system call.

The demonstrated exploits include:

• The ability to read the contents of the /etc/shadow file via the sgid /usr/bin/chage. The file contains hashed local user passwords and would require an additional brute-force attack in order to retrieve the plain-text passwords. The algorithms used by Ubuntu are considered strong against such attacks, but require passwords that conform to current best practices.
• The ability to read the OpenSSH server host private keys via the suid /usr/lib/openssh/ssh-keysign. These are used by the OpenSSH server to prove its identity to clients and ensure that an on-path attack does not compromise SSH connections. Additionally, the OpenSSH host keys are used for host-based authentication and their disclosure could lead to user impersonation on deployments that use this uncommon authentication method.

On container deployments, the information that can be disclosed is strictly within the confines of the container and, generally, unlikely to be useful to an attacker.

Affected releases

In Ubuntu, the vulnerability fix will be distributed through the Linux kernel image packages. Until the Linux kernel security update is available, a mitigation can be applied according to the instructions below. The mitigation will impact debuggers, such as gdb. The mitigation will not be necessary once the kernel is updated.

How to check if you are impacted

All of the releases from the table above are impacted.

Manual mitigation

The mitigation disables the ability of unprivileged users to attach to other processes using the ptrace() system call. This is generally used by debuggers. The kernel.yama.ptrace_scope sysctl can be used to restrict the situations in which the affected system call can be used. On Ubuntu, the sysctl parameter defaults to the value 1, which imposes an ancestor-descendant relationship between the attacker’s process and the victim. The scope can be further restricted with one of the following values:

• 2: this disallows the use of the ptrace() system call for users without the CAP_SYS_PTRACE privilege, which is the case for most users. As such, an attacker would not normally have this capability,. Debugging tools that utilize ptrace, such as gdb and gcore, will be impacted for unprivileged users.
• 3: this disables attaching to processes using ptrace() altogether. Debugging tools that utilize ptrace, such as gdb and gcore, will be impacted for all users, including privileged ones.

Please note that if the sysctl is set to the value 3, it cannot be changed without a system reboot.

The following instructions change the currently running value of the kernel.yama.ptrace_scope sysctl and configure a drop-in file (/etc/sysctl.d/99-CVE-2026-46333.conf) to retain the value across reboots. We consider setting the to the value 2 to be a sufficient mitigation. If you wish to use the value 3, you can adjust the command accordingly.

echo kernel.yama.ptrace_scope=2 | sudo tee /etc/sysctl.d/99-CVE-2026-46333.conf
sudo sysctl -p /etc/sysctl.d/99-CVE-2026-46333.conf

Disabling the mitigation

Once kernel updates are available and installed, the mitigation can be removed:

sudo rm /etc/sysctl.d/99-CVE-2026-46333.conf
sudo sysctl kernel.yama.ptrace_scope=1

We recommend you do not set this parameter to the value 0, as doing so would disable the protections provided by the feature, as explained here.