[SRU][R/Q/N/J][PATCH 0/4] CVE-2026-46333

Edoardo Canepa edoardo.canepa at canonical.com
Fri May 22 08:44:29 UTC 2026 

https://ubuntu.com/security/CVE-2026-46333

[ Impact ]

CVE-2026-46333 (also known as ssh-keysign-pwn) is a race condition
in the Linux kernel's ptrace and process exit logic
(do_exit() to exit_mm() before exit_files()).

__ptrace_may_access() skips its dumpable check when the target task’s mm is NULL.
During do_exit(), the kernel runs exit_mm() before exit_files(), so there is
a window where a privileged process has dropped its mm but still has its
file descriptors open. An unprivileged process running under the same
uid can call pidfd_getfd(2) during that window and lift open file
descriptors out of the dying process. If those descriptors point at
root-owned files that the privileged binary opened before dropping privileges
(e.g. SSH host keys opened by ssh-keysign before permanently_set_uid(), or
/etc/shadow opened by chage before setreuid()), the attacker now has a handle on them.

[ Fix ]


* Resolute, cherry pick the following patches from upstream:
  - 31e62c2ebbfd ptrace: slightly saner 'get_dumpable()' logic

* Questing, cherry pick the following patches from upstream:
  - 31e62c2ebbfd ptrace: slightly saner 'get_dumpable()' logic

* Noble, cherry pick the following patches from upstream:
  - 31e62c2ebbfd ptrace: slightly saner 'get_dumpable()' logic

* Jammy, backported the following patches from upstream:
  - 31e62c2ebbfd ptrace: slightly saner 'get_dumpable()' logic

Bionic and older not affected by the current attack vector
because they lack pidfd_getfd/pidfd_open, hence considered
not affected.

[ Test Plan ]

Each kernel has been boot tested and tested against POC:
https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn

[ Where Problems Could Occur ]

The fix affects only __ptrace_may_access making the dumpable check
more restrictive hence is unlikely to have other impacts

[ Other Info ]

Public exploits (“ssh-keysign-pwn”, “chage_pwn”) by _SiCk: https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn
Upstream fix from Linus: https://github.com/torvalds/linux/commit/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a
Jann Horn’s 2020 patch for the same shape: https://lore.kernel.org/all/20201016230915.1972840-1-jannh@google.com/

More information about the kernel-team mailing list