APPLIED: [SRU][R/Q/N/J][PATCH 0/4] CVE-2026-46333

Edoardo Canepa edoardo.canepa at canonical.com
Fri May 22 15:30:53 UTC 2026 

Applied to R/Q/N/J:linux/master-next. Thanks.

Fixed backport string on J patch as indicated

On 5/22/26 10:42, Edoardo Canepa wrote:
> https://ubuntu.com/security/CVE-2026-46333
>
> [ Impact ]
>
> CVE-2026-46333 (also known as ssh-keysign-pwn) is a race conditionApplied to. Thanks.
>                                  
> in the Linux kernel's ptrace and process exit logic
> (do_exit() to exit_mm() before exit_files()).
>
> __ptrace_may_access() skips its dumpable check when the target task’s mm is NULL.
> During do_exit(), the kernel runs exit_mm() before exit_files(), so there is
> a window where a privileged process has dropped its mm but still has its
> file descriptors open. An unprivileged process running under the same
> uid can call pidfd_getfd(2) during that window and lift open file
> descriptors out of the dying process. If those descriptors point at
> root-owned files that the privileged binary opened before dropping privileges
> (e.g. SSH host keys opened by ssh-keysign before permanently_set_uid(), or
> /etc/shadow opened by chage before setreuid()), the attacker now has a handle on them.
>
> [ Fix ]
>
>
> * Resolute, cherry pick the following patches from upstream:
>    - 31e62c2ebbfd ptrace: slightly saner 'get_dumpable()' logic
>
> * Questing, cherry pick the following patches from upstream:
>    - 31e62c2ebbfd ptrace: slightly saner 'get_dumpable()' logic
>
> * Noble, cherry pick the following patches from upstream:
>    - 31e62c2ebbfd ptrace: slightly saner 'get_dumpable()' logic
>
> * Jammy, backported the following patches from upstream:
>    - 31e62c2ebbfd ptrace: slightly saner 'get_dumpable()' logic
>
> Bionic and older not affected by the current attack vector
> because they lack pidfd_getfd/pidfd_open, hence considered
> not affected.
>
> [ Test Plan ]
>
> Each kernel has been boot tested and tested against POC:
> https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn
>
> [ Where Problems Could Occur ]
>
> The fix affects only __ptrace_may_access making the dumpable check
> more restrictive hence is unlikely to have other impacts
>
> [ Other Info ]
>
> Public exploits (“ssh-keysign-pwn”, “chage_pwn”) by _SiCk: https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn
> Upstream fix from Linus: https://github.com/torvalds/linux/commit/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a
> Jann Horn’s 2020 patch for the same shape: https://lore.kernel.org/all/20201016230915.1972840-1-jannh@google.com/
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x20F88172E14F6784.asc
Type: application/pgp-keys
Size: 3167 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260522/216eb45b/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260522/216eb45b/attachment-0001.sig>

More information about the kernel-team mailing list