Full Report
Plus ModuleJail, a radical proposal for minimizing the impact of similar bugs
Analysis Summary
# Vulnerability: ssh-keysign-pwn (Improper get_dumpable logic)
## CVE Details
- **CVE ID:** CVE-2026-46333
- **CVSS Score:** N/A (Local Privilege Escalation/Information Disclosure)
- **CWE:** CWE-212 (Improper Removal of Sensitive Information before Storage or Transfer) / CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)
## Affected Systems
- **Products:** Linux Kernel
- **Versions:** Affected LTS branches include 5.10, 5.15, 6.1, 6.6, 6.12, 6.18, and 7.0.
- **Configurations:** Systems where unprivileged local users have shell access.
## Vulnerability Description
The flaw resides in the kernel's `ptrace` subsystem, specifically within the `get_dumpable()` logic. It allows an unprivileged local user to bypass permission checks to read files that are normally restricted to the root user. By exploiting how the kernel determines if a process is "dumpable" (and thus accessible to certain debugging or system tools), an attacker can access sensitive memory or files, such as SSH private keys (via `ssh-keysign`) and system credential files.
## Exploitation
- **Status:** PoC available (Dubbed "ssh-keysign-pwn" on GitHub).
- **Complexity:** Medium.
- **Attack Vector:** Local (Attacker must have existing unprivileged access to the target system).
## Impact
- **Confidentiality:** High (Access to root-only secrets, SSH keys, and password files).
- **Integrity:** Medium (Potential for further system compromise via stolen credentials).
- **Availability:** Low.
## Remediation
### Patches
- **Linux Mainline:** Fixed in commit `31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a` ("ptrace: slightly saner 'get_dumpable()' logic").
- **LTS Updates:** Users should update to the latest point releases for kernels 5.10, 5.15, 6.1, 6.6, 6.12, and 6.18.
### Workarounds
- **ModuleJail Proposal:** Use the `ModuleJail` script to blacklist all unused kernel modules to shrink the attack surface.
- **Restricting Access:** Limit local shell access to trusted users and monitor for unusual `ptrace` activity.
## Detection
- **Indicators of Compromise:** Unusual access patterns to `/etc/shadow`, root SSH keys, or the use of `ssh-keysign` by unauthorized users.
- **Detection Methods:** Auditd monitoring for `ptrace` system calls and unauthorized file access to sensitive `/etc/` or `/root/` directories.
## References
- **Vendor Advisory:** hxxps[:]//www[.]openwall[.]com/lists/oss-security/2026/05/15/2
- **KnightLi Blog:** hxxps[:]//www[.]knightli[.]com/en/2026/05/17/ssh-keysign-pwn-cve-2026-46333/
- **Kernel Fix:** hxxps[:]//github[.]com/torvalds/linux/commit/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a
- **PoC Repository:** hxxps[:]//github[.]com/0xdeadbeefnetwork/ssh-keysign-pwn
- **ModuleJail Tool:** hxxps[:]//github[.]com/jnuyens/modulejail