Skip to main content

Security Advisory: Proactive Protection Against Linux Kernel "ssh-keysign-pwn" Vulnerability

Kunal
Updated

Notice Date: May 20, 2026

Vulnerability Reference: CVE-2026-46333 ("ssh-keysign-pwn")

Overview

Webscale has become aware of a Linux kernel information disclosure vulnerability, publicly known as "ssh-keysign-pwn." This flaw is a race condition in the kernel's handling of ptrace() against SUID and SGID processes. 

First, the good news: this is not a remote code execution (RCE) vulnerability. A hacker cannot use this flaw to break into your system over the internet.

To exploit this, the attacker must already have a foothold on your system as a normal, unprivileged user. This could be a legitimate user with a limited account on your machine through some other means (like a vulnerable web application).

Our security and infrastructure teams are currently taking proactive measures to secure all managed environments.

Impacted Services

This vulnerability affects standard Linux kernel versions across all currently supported Ubuntu releases (14.04 LTS through 26.04 LTS). Because a public proof-of-concept (PoC) exploit is available, we are prioritizing mitigation across all managed fleets. The vulnerability is not remotely exploitable — exploitation requires existing local access to the host — and on container deployments, the exposure is confined to within the container.

CISA has assigned a CVSS 3.1 base score of 5.5 (Medium). Canonical has assigned an Ubuntu Priority of High due to the sensitivity of the information that may be disclosed.

Actions Being Taken

To ensure the integrity of your data and the security of your instances, our team is performing the following actions:

  • Immediate Mitigation (ptrace Restriction): We are applying the Canonical-recommended mitigation across all managed hosts by setting kernel.yama.ptrace_scope = 2 via a drop-in sysctl configuration. This prevents unprivileged users from attaching to other processes via ptrace() and closes the exploit window without requiring a reboot.
  • Kernel Patching (Follow-Up): Once Canonical releases the official Linux kernel security update for this CVE, we will roll the patched kernel through our standard patching cycle, after which the sysctl mitigation will be removed.

Maintenance Window & Customer Impact

  • Application Traffic: Your storefront and application traffic are not affected by this mitigation. There is no expected impact on performance, availability, or any standard production workload.
  • Debugging Tools: The mitigation restricts the unprivileged use of ptrace()-based debuggers (such as gdb and gcore) on managed hosts. Privileged debugging is unaffected. If your team performs interactive debugging directly on managed infrastructure as an unprivileged user, please reach out to our support team to coordinate.

Our Commitment

At Webscale, security is our top priority. By applying the recommended mitigation across our managed fleet ahead of the upstream kernel patch, we ensure the continued stability and safety of your infrastructure while the official fix moves through the standard release process.

No action is required from you at this time. We will provide a follow-up notification once the kernel patching cycle is complete for your specific environment.

Questions?

If you have concerns about how these changes might affect your specific application stack, please open a ticket via the Customer Portal or contact us at support@webscalenetworks.com

 
 
 

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk