A nine-year-old flaw in the Linux kernel — tracked as CVE-2026-46333 and nicknamed “ssh-keysign-pwn” — has been publicly disclosed, and the detail that stands out is how long it has been lurking: the vulnerable code was introduced in November 2016. Any unprivileged local user on an unpatched system can exploit the bug to read protected files like /etc/shadow (which stores hashed passwords) and SSH host keys, and then run commands as the root user. Researchers have published four separate exploits targeting different components (chage, ssh-keysign, pkexec, and accounts-daemon), making it straightforward for a low-skilled attacker to use.
Patches are now available from all major distributions. If you share a Linux machine with other users, or if your computer has been accessible to others since November 2016, treat it as a priority update. Debian, Fedora, and Ubuntu have each shipped kernel updates — the fix requires a reboot after installation. If you cannot update immediately, the workaround is to raise the kernel’s ptrace scope setting, which limits process inspection between users.
How to check if you’re affected
Affected versions include the Linux kernel on default installations of Debian, Fedora, and Ubuntu that have not yet applied the patch for CVE-2026-46333. To check your kernel version, open a terminal and run uname -r. Then open your distribution’s Software Updater (Ubuntu) or run sudo dnf update kernel (Fedora) / sudo apt update && sudo apt upgrade (Debian/Ubuntu) to install the patch. A reboot is required for the new kernel to take effect.