Linux Kernel Vulnerability: ssh-keysign-pwn

Friday, May 15, 2026

This message is intended for U-M IT staff who are responsible for Linux systems.

Summary

A new Linux kernel vulnerability, ssh-keysign-pwn, was disclosed on May 14. This is the fourth Linux kernel vulnerability in the past several weeks.

Mitigation is needed for higher-risk systems. The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).
Administrators should pay attention to vendor updates and apply patches on all systems, when available.

Problem

The vulnerability could allow unprivileged users to read root-owned files.

Threats

A proof-of-concept is available as ssh-keysign-pwn.

Affected Versions

All Linux kernel releases through the latest Linux Git state as of May 14, 2026.

Action Items

Anyone who runs or administers higher-risk Linux systems must take action immediately:
Verify the current value of the kernel parameter: cat /proc/sys/kernel/yama/ptrace_scope
Mitigation command: echo 2 > /proc/sys/kernel/yama/ptrace_scope
This command will limit process trace capabilities to the root user, preventing other users from performing process traces.
This change will not persist upon a reboot.
Preferred method to maintain persistence of the mitigation: Place a file in /etc/sysctl.d with the mitigation to keep changes persistent across reboots.
After applying vendor patches, restore the kernel parameter to the default value:
Undo mitigation command: echo 0 > /proc/sys/kernel/yama/ptrace_scope

Note: “Higher-risk” Linux systems are those that are more directly exposed to attack, such as shared systems, systems that provide shell access to potentially-untrusted users, web servers, and systems directly exposed to access from the internet.

Technical Details

According to 9to5Linux, the proof-of-concept includes two files:

sshkeysign_pwn, which prints the contents of the /etc/ssh/ssh_host_{ecdsa,ed25519,rsa}_key file, and
chage_pwn, which prints the contents of the shadow file in /etc.

How We Protect U-M

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.

References

Linux 7.0.8 Released & LTS Kernels Updated For ssh-keysign-pwn (phoronix, 5/15/26)
Linux's Latest Vulnerability Allows Reading Root-Owned Files By Unprivileged Users (phoronix, 5/14/26)
Six-Year-Old Linux Kernel Flaw Lets Unprivileged Users Read Root-Owned Files (9to5Linux, 5/14/26)
ssh-keysign-pwn (github.com, 5/14/26)