Critical Linux Kernel Flaw Exposes SSH Keys and Password Hashes A newly disclosed Linux kernel vulnerability, tracked as CVE-2026-46333 and dubbed "ssh-keysign-pwn," allows attackers to extract highly sensitive data including SSH private keys and password hashes from affected systems. The flaw stems from a race condition in the kernel’s ptrace access control logic, specifically within the `__ptrace_may_access()` function. ### How the Exploit Works The vulnerability arises when a privileged process (e.g., ssh-keysign or chage) shuts down. During this brief window, its memory context is cleared (mm = NULL), but its file descriptors remain open. An unprivileged local attacker can exploit this gap using `pidfd_getfd()` to steal these descriptors, bypassing intended permission checks. A proof-of-concept (PoC) exploit on GitHub demonstrates how attackers can repeatedly spawn processes to race against a privileged helper’s exit, successfully extracting file descriptors in 100–2000 attempts making it a practical threat. ### Impact & Risks - SSH Private Key Theft: Enables attackers to impersonate systems or users, conduct man-in-the-middle (MitM) attacks, and move laterally across networks. - Password Hash Exposure: Full read access to `/etc/shadow`, allowing offline cracking of credentials. - Cascading Compromises: Since SSH keys are often reused, a single breach can lead to wider network access. ### Affected Systems The flaw impacts most Linux distributions running kernels before the May 14, 2026 patch, including: - Ubuntu - Debian - Arch Linux - CentOS - Raspberry Pi OS Given the vulnerability’s six-year existence, many long-term deployments remain exposed. ### Mitigation & Response - Apply kernel patches for CVE-2026-46333. - Rotate all SSH keys, particularly on critical systems. - Audit access to sensitive files like `/etc/shadow`. - Monitor for suspicious `ptrace` or `pidfd` system calls. - Restrict local user access where possible, as exploitation requires local presence. With a public PoC exploit already available, the risk of active exploitation in the wild is heightened, underscoring the urgency for remediation.

Dirty Frag: New Linux Kernel LPE Vulnerability Grants Root Access Across Major Distros A newly disclosed Linux kernel vulnerability, dubbed Dirty Frag, enables local privilege escalation (LPE) by chaining two page-cache write flaws xfrm-ESP Page-Cache Write and RxRPC Page-Cache Write to achieve root access on nearly all major Linux distributions. The exploit, publicly released on May 7, 2026, following an embargo break, leverages a deterministic logic flaw rather than race conditions, ensuring a high success rate without kernel panics. Discovered by security researcher Hyunwoo Kim (@v4bel), Dirty Frag exploits the kernel’s zero-copy send path, where `splice()` inserts a reference to a read-only page cache (e.g., `/etc/passwd` or `/usr/bin/su`) into the `frag` slot of a sender-side `sk_buff`. Receiver-side cryptographic operations then modify the page cache in-place, corrupting files even for unprivileged users. ### Exploit Mechanics 1. xfrm-ESP Variant: - Targets `esp_input()` in the IPsec ESP receive path, skipping buffer allocation checks (`skb_cow_data()`) for non-linear `skb`s. - Attackers use `XFRMA_REPLAY_ESN_VAL` to overwrite arbitrary bytes (e.g., `/usr/bin/su`) with a root-shell ELF, requiring user namespace creation (`unshare(CLONE_NEWUSER)`), which is blocked on some Ubuntu systems via AppArmor. 2. RxRPC Variant: - Exploits `rxkad_verify_packet_1()` to perform in-place decryption on the first 8 bytes of an RxRPC payload. - Attackers brute-force a session key to manipulate plaintext (e.g., emptying `/etc/passwd`’s password field), bypassing PAM authentication. This variant does not require namespace privileges but relies on the `rxrpc.ko` module, absent by default on RHEL but present on Ubuntu. Chaining both exploits ensures root access across distributions, with the PoC first attempting the ESP path before falling back to RxRPC if `unshare` fails. ### Affected Systems The vulnerabilities span nine years, with the ESP flaw introduced in January 2017 (commit `cac2661c53f3`) and the RxRPC flaw in June 2023 (commit `2dc334f1a63a`). Confirmed affected distributions include: - Ubuntu 24.04.4 (kernel 6.17.0-23) - RHEL 10.1 (kernel 6.12.0-124.49.1) - openSUSE Tumbleweed (kernel 7.0.2-1) - CentOS Stream 10, AlmaLinux 10, Fedora 44 ### Patches & Mitigation - The ESP patch, using `SKBFL_SHARED_FRAG` to enforce buffer isolation, was merged into the netdev tree on May 7, 2026. - The RxRPC patch remains unmerged upstream. - No CVEs have been assigned due to the premature embargo break. - Temporary mitigation involves blacklisting the affected modules (`esp4`, `esp6`, `rxrpc`) via: ```bash sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true" ``` This disrupts IPsec and RxRPC functionality, requiring careful evaluation for systems reliant on VPNs. The full technical write-up and PoC are available on the researcher’s GitHub repository.

High-Severity Linux Privilege Escalation Flaw "Pack2TheRoot" Disclosed Deutsche Telekom’s Red Team has publicly disclosed a high-severity privilege escalation vulnerability, CVE-2026-41651 (CVSS 8.8), dubbed Pack2TheRoot, affecting default installations of major Linux distributions. The flaw, present in the PackageKit daemon a widely used package management abstraction layer allows any local unprivileged user to silently install or remove system packages, ultimately gaining full root access without authentication. The vulnerability impacts PackageKit versions 1.0.2 through 1.3.4, spanning over 12 years of releases and exposing systems across Debian, Ubuntu, Fedora, and Red Hat-based distributions, including enterprise servers running Cockpit. Confirmed vulnerable default installations include: - Ubuntu Desktop (18.04, 24.04.4 LTS, 26.04 LTS Beta) - Ubuntu Server (22.04, 24.04 LTS) - Debian Desktop (Trixie 13.4) - Rocky Linux Desktop (10.1) - Fedora (43 Desktop and Server) Exploitation is straightforward: an attacker with basic local access can bypass authorization controls, install malicious packages, or remove critical security components. A proof-of-concept (PoC) exists, reliably achieving root code execution in seconds, though it remains undisclosed. The flaw was discovered during Telekom Security’s research into local privilege escalation vectors, with Claude Opus (Anthropic) assisting in the investigation starting in 2025. Findings were responsibly disclosed to PackageKit maintainers, who confirmed the issue and its exploitability. While the attack leaves detectable traces such as PackageKit daemon crashes logged in *journalctl* systems can be checked for vulnerability using: - Debian/Ubuntu: `dpkg -l | grep -i packagekit` - RPM-based: `rpm -qa | grep -i packagekit` - Daemon status: `systemctl status packagekit` or `pkmon` A patch was released in PackageKit 1.3.5 (April 22, 2026), with distribution-specific fixes available via: - Debian: [security-tracker.debian.org](https://security-tracker.debian.org) - Ubuntu: Launchpad CVE tracker - Fedora: PackageKit-1.3.4-3 (via Koji) Administrators are advised to apply updates immediately, particularly on internet-facing servers running Cockpit.

Critical 7-Zip Vulnerability Exposes Millions of Systems to Remote Code Execution A high-severity vulnerability (CVE-2024-, rated 8.8) in the widely used open-source utility 7-Zip has been disclosed, allowing attackers to execute malicious code simply by tricking users into opening a crafted archive. The flaw affects all versions prior to 26.01, released in late April, and requires no further interaction merely opening a booby-trapped file (.7z, .zip, .rar, or even disguised NTFS disk images) on a system with at least 16 GB of RAM* is sufficient for exploitation. The impact is severe due to 7-Zip’s ubiquity. Beyond the Windows GUI application, command-line variants across multiple operating systems including Linux distributions with outdated p7zip ports are vulnerable. Millions of CI/CD pipelines, automated scripts, and server processes that interact with archives (even just to list contents) are at risk. With over 400 million downloads on SourceForge and 24.5 million via Chocolatey, plus widespread inclusion in Linux servers, VMs, and Docker images, the potential attack surface spans hundreds of millions of machines. The vulnerability extends further due to 7-Zip’s integration into third-party software. Antivirus scanners, backup tools, log analyzers, file managers, and malware sandboxes often embed 7-Zip’s libraries, many of which run with elevated permissions. Exploitation requires no user interaction in these cases, enabling drive-by attacks via poisoned archives. The flaw stems from a bug in 7-Zip’s handling of NTFS disk images, where an attacker can manipulate buffer values to trigger arbitrary code execution. Notably, 7-Zip ignores file extensions, relying instead on file headers meaning malicious NTFS images can be hidden within standard archive formats. Testing confirms vulnerable versions are present in Ubuntu 24/26, RHEL 8, Fedora, and many OEM systems that bundle 7-Zip by default. Without built-in update mechanisms, mitigation depends on manual upgrades or package manager updates.