SSH-Keysign-Pwn: Reading Root-Owned Files via a Ptrace Logic Bug (opens in new tab)

Covers 4 stories including 0xdeadbeefnetwork/ssh-keysign-pwn: Steal SSH host private keys and /etc/shadow via the ptrace_may_access mm-NULL bypass + pidfd_getfd. Pre-31e62c2ebbfd kernels.Discussed on Hacker News

Qualys discovered a logic bug in __ptrace_may_access() allowing unprivileged users to steal SSH host keys and /etc/shadow via pidfd_getfd(). Fixed by Linus Torvalds on May 14, 2026.

Read the original article