9to5linux.com via Reddit

Qualys exposes Linux flaw leaking SSH host keys

cybersecurity cybersecurity open-source

Key insights

  • The flaw exploits a race condition in pidfd_getfd(), a Linux 5.6 feature, letting unprivileged users steal root-owned file descriptors.
  • A public proof-of-concept already demonstrates SSH host private key extraction, making exploitation immediately accessible to low-skilled attackers.
  • This is the second critical Linux local privilege-escalation disclosed in two weeks, independent of the DirtyFrag/Fragnesia chain.

Why this matters

AI infrastructure overwhelmingly runs on Linux, and SSH host keys are the primary trust anchor for securing inter-node communication in GPU clusters, orchestration systems, and cloud tenants — a stolen host key allows silent man-in-the-middle positioning on those channels. The back-to-back cadence of critical Linux LPE disclosures in May 2026 suggests that kernel subsystems introduced in the 5.x era have not received the same adversarial scrutiny as older code, leaving a window for attackers who have already achieved any foothold on a multi-tenant system. Organizations running shared compute infrastructure — including AI cloud providers and colocation tenants — face compounded risk because unprivileged container escapes or compromised user accounts are common first steps before this class of exploit converts access into root.

Summary

Qualys researchers disclosed ssh-keysign-pwn, a six-year-old race condition in the Linux kernel's pidfd_getfd() syscall that lets unprivileged local users hijack file descriptors from privileged setuid binaries. Linus Torvalds patched it directly on May 14, 2026, but the flaw has been present since the pidfd_getfd() feature landed in kernel 5.6 around 2020. The attack works by racing a call to pidfd_getfd() against the moment a setuid binary like ssh-keysign holds open a file descriptor to a root-owned file. A published proof-of-concept demonstrates successful extraction of SSH host private keys, meaning an attacker with a local shell can impersonate a server at the network layer. Essentially: (Qualys, Linux kernel maintainers) are managing back-to-back critical privilege-escalation disclosures in a two-week window that also includes the separate DirtyFrag/Fragnesia chain. - The race condition targets pidfd_getfd(), a kernel feature designed for safe cross-process file descriptor passing, turning a security primitive into an attack surface. - SSH host private key theft lets an attacker perform man-in-the-middle attacks on future sessions or impersonate the compromised host indefinitely until keys are rotated. - The vulnerability is independent of the DirtyFrag chain disclosed weeks prior, meaning these are two separate unpatched surfaces that coexisted in production kernels. Two unrelated critical local privilege-escalation bugs in a fortnight points to a systemic review gap in how the kernel's process-management and filesystem subsystems have been audited since 2020.

Potential risks and opportunities

Risks

  • Multi-tenant GPU cloud providers (CoreWeave, Lambda Labs, vast.ai) face a window where a compromised tenant account could have extracted host keys, enabling persistent MitM positioning that survives the patch unless keys are explicitly rotated.
  • Enterprise security teams that have not yet applied the May 14 kernel patch remain exposed to any insider or initial-access broker who can land a local shell, converting limited access to full host key theft with a public PoC now available.
  • Linux distributions (Ubuntu, Red Hat, SUSE) that have not yet backported the fix to LTS kernels may face coordinated exploitation pressure if threat actors weaponize the PoC before downstream patches ship, particularly against unattended IoT and embedded Linux deployments.

Opportunities

  • Runtime security vendors (Falco, Aqua Security, Sysdig) can ship detection rules for pidfd_getfd() abuse patterns immediately, offering a compensating control to customers who cannot patch kernel versions on short notice.
  • SSH key management and secrets rotation platforms (HashiCorp Vault, Teleport, CyberArk) gain a concrete sales argument for automated host-key rotation workflows, since manual rotation after disclosure is the only remediation once keys may have been stolen.
  • Kernel security auditing firms and academic groups focused on Linux syscall security (SUSE Security Team, Google Project Zero) are positioned to publish follow-on research on the pidfd family, increasing visibility and potential funded engagements from infrastructure vendors.

What we don't know yet

  • Whether major cloud providers (AWS, Google Cloud, Azure) have confirmed patched kernel rollouts to bare-metal and shared-tenant fleets as of May 15, 2026.
  • Whether any threat actor exploited ssh-keysign-pwn in the wild during the six years it was unpatched, given that no indicators of compromise have been published alongside the Qualys disclosure.
  • Whether the Linux Security Team has initiated a structured audit of other pidfd family syscalls introduced in kernel 5.6 through 6.x for similar descriptor-race surfaces.

Originally reported by 9to5linux.com

Read the original article →

Original headline: ssh-keysign-pwn: Six-Year-Old Linux Kernel Flaw Patched by Linus on May 14 — PoC Lets Unprivileged Users Steal SSH Host Private Keys