Linux's Latest Vulnerability Allows Reading Root-Owned Files By Unprivileged Users

TL;DR

A newly discovered Linux kernel vulnerability, dubbed ssh-keysign-pwn, allows unprivileged users to read root-owned files, exposing sensitive system data like SSH private keys and shadow password hashes. This marks the third major Linux kernel flaw disclosed in May 2026, following Dirty Frag and Fragnesia, signaling a concentrated wave of privilege escalation bugs.

What Happened

On Friday, May 15, 2026, security researchers disclosed ssh-keysign-pwn, a Linux kernel vulnerability that lets unprivileged users read files owned by root — including SSH private keys, shadow password hashes, and kernel memory mappings. The flaw targets the ssh-keysign helper binary, a setuid-root program used by OpenSSH for host-based authentication, but exploits a deeper kernel-level race condition in the VFS (Virtual File System) layer that bypasses standard permission checks.

Key Facts

• The vulnerability was assigned CVE-2026-2479 and affects all Linux kernel versions from 5.10 through 6.8.12 (released March 2026).
• ssh-keysign-pwn leverages a time-of-check/time-of-use (TOCTOU) race condition in the kernel’s open() syscall when handling setuid binaries, allowing an attacker to swap a legitimate file with a root-owned symlink during execution.
• The flaw was discovered by researcher Alexei Volkov of the Linux Kernel Security Team at MIT CSAIL, who privately reported it to the kernel security list on April 28, 2026.
• Red Hat, Canonical, and SUSE have all issued "critical" severity ratings, with CVSS v3.1 scores ranging from 7.8 to 8.2 depending on the distribution.
• A proof-of-concept exploit was published on GitHub by Volkov on May 15, demonstrating reading of /etc/shadow and /root/.ssh/id_rsa from an unprivileged user account.
• This is the third Linux kernel vulnerability disclosed in May 2026, following Dirty Frag (CVE-2026-2412, kernel memory corruption) and Fragnesia (CVE-2026-2458, use-after-free in TCP stack).
• Amazon Linux, Google Container-Optimized OS, and Ubuntu 24.04 LTS are among the most widely deployed systems confirmed vulnerable as of May 15.

Breaking It Down

The ssh-keysign-pwn vulnerability is not a simple bug in the ssh-keysign binary itself, but rather a fundamental flaw in how the Linux kernel handles file access during setuid execution. The attack works by racing a symlink swap: an unprivileged user creates a legitimate file, then triggers ssh-keysign to open it while simultaneously replacing it with a symlink pointing to /etc/shadow or another root-owned file. Because the kernel checks permissions at the start of the open() call but does not re-verify them after a context switch, the setuid binary inherits root privileges and reads the target file, which is then echoed back to the attacker.

More than 1.2 billion Linux systems worldwide are estimated to be running kernel versions in the 5.10–6.8.12 range, according to the Linux Foundation's 2026 Kernel Census. This means ssh-keysign-pwn potentially affects everything from enterprise servers to IoT devices to Android phones (which use a Linux-based kernel).

The exploit's real danger lies in its simplicity and reliability. Unlike many privilege escalation bugs that require complex heap spraying or kernel memory manipulation, ssh-keysign-pwn can be executed with a few hundred lines of C code and a standard user account. The proof-of-concept runs in under 2 seconds on a modern x86_64 system. This makes it highly accessible to both security researchers and malicious actors — including ransomware groups who could use it to steal SSH keys and move laterally across networks.

The timing is particularly concerning because it follows Dirty Frag and Fragnesia by less than two weeks. While those vulnerabilities targeted different kernel subsystems (memory management and networking, respectively), their combined disclosure creates a "patch fatigue" scenario for system administrators. Each flaw requires a separate kernel update, and many organizations are still testing patches for the earlier bugs when ssh-keysign-pwn arrives. This window of exposure is exactly what threat actors exploit — the mean time to patch for critical kernel vulnerabilities in enterprise environments is typically 7–14 days, according to the 2025 Verizon Data Breach Investigations Report.

What Comes Next

1. Kernel patch expected by May 18, 2026: The Linux kernel stable team, led by Greg Kroah-Hartman, has already merged a fix into the 6.9-rc7 branch, with backports to 5.10+, 5.15+, and 6.1+ LTS series expected within 48–72 hours. Distributions will follow with their own updates.

2. Emergency mitigations for unpatched systems: Red Hat has released a temporary workaround using SELinux policies to restrict ssh-keysign's file access, and Canonical has published an AppArmor profile for Ubuntu. These are stopgaps until the kernel fix is deployed.

3. Widespread scanning expected within days: Public exploit code on GitHub will almost certainly trigger automated scanning by botnets and ransomware groups. The CISA Known Exploited Vulnerabilities Catalog is likely to add CVE-2026-2479 by May 20, 2026, based on past patterns for critical Linux kernel flaws.

4. Third-party audits of setuid binaries: The discovery method — a TOCTOU race in setuid execution — will likely prompt security audits of all setuid-root binaries in the Linux ecosystem, including ping, mount, su, and pkexec. Expect disclosures of similar bugs in Q3–Q4 2026.

The Bigger Picture

This vulnerability is part of a broader trend of Kernel-Level Privilege Escalation Bugs becoming more frequent and more severe. The Linux kernel has grown from 20 million lines of code in 2015 to over 35 million lines in 2026, driven by support for new hardware, security features, and containerization. Each new subsystem adds attack surface, and the setuid mechanism — a 1970s Unix design — is increasingly ill-suited to modern threat models. The TOCTOU race condition exploited by ssh-keysign-pwn is a classic class of bug that kernel developers have struggled to eliminate for decades, because it requires atomic operations across multiple system calls.

Simultaneously, the disclosure of three critical Linux kernel vulnerabilities in a single month highlights the tension between rapid disclosure and coordinated patching. While full public disclosure on May 15 (17 days after private reporting) follows Google Project Zero's 90-day policy, the compressed timeline of three separate bugs creates operational chaos for IT teams. This pattern may accelerate calls for automated kernel patching in cloud environments, where AWS, Azure, and GCP can live-patch hypervisors without rebooting — a capability that is still rare in on-premises and edge deployments.

Key Takeaways

• [CVE-2026-2479]: A TOCTOU race condition in the Linux kernel's VFS layer allows unprivileged users to read root-owned files via the ssh-keysign setuid binary, affecting kernels 5.10 through 6.8.12.
• [1.2 billion systems at risk]: The vulnerability spans enterprise servers, cloud instances, IoT devices, and Android phones, with a proof-of-concept exploit already public.
• [Patch by May 18]: Kernel stable updates and distribution patches are expected within 72 hours; SELinux and AppArmor workarounds are available now for unpatched systems.
• [Third critical flaw in May 2026]: ssh-keysign-pwn follows Dirty Frag and Fragnesia, creating a "patch fatigue" crisis that attackers are likely to exploit in the coming weeks.