A critical Linux 0-day vulnerability allows unprivileged users to access root-owned files, including SSH host private keys and /etc/shadow, by exploiting a race condition in the ptrace_may_access mm-NULL bypass combined with pidfd_getfd. The vulnerability affects all Linux kernels prior to commit 31e62c2ebbfd (May 14, 2026) and was originally reported by Qualys. The exploit specifically targets ssh-keysign and chage utilities to steal sensitive system files.
Background
The vulnerability exploits a race condition in the Linux kernel's ptrace_may_access function, which incorrectly skips dumpable checks when a process's memory management structure (mm) is NULL. This allows attackers to use pidfd_getfd to steal file descriptors from privileged processes during a specific window in their execution.
- Source
- Lobsters
- Published
- May 15, 2026 at 09:14 AM
- Score
- 9.0 / 10