Issue
A Linux kernel vulnerability tracked as CVE-2026-46333, also referred to as ssh-keysign-pwn, may allow an unprivileged local user on an affected system to access sensitive root-owned files through a race condition in the kernel ptrace access-check path.
Customers may ask whether CloudLinux kernels or KernelCare live patches are affected and how to mitigate or patch the issue.
Environment
- CloudLinux OS
- CloudLinux Kernel
- KernelCare
- Multi-user or shared-hosting environments
Solution
CloudLinux has published a dedicated blog post with the current affected version status, mitigation options, kernel update instructions, and KernelCare live patch information. Refer to the CloudLinux blog post for the latest confirmed guidance:
As a general summary:
- CloudLinux 7 is not affected
- CloudLinux 7h and CloudLinux 8 contain the underlying kernel race, but are not exploitable by the current public proof-of-concept
- CloudLinux 8 LTS, CloudLinux 9, and CloudLinux 10 are affected by the current public proof-of-concept
- CloudLinux recommends applying the documented mitigation or installing the patched kernel / KernelCare live patch once available for the relevant stream
- CageFS provides protection for caged tenants, but the kernel update or KernelCare live patch is still recommended for full coverage
Cause
The issue is caused by a race condition in the Linux kernel exit path. During a narrow window, the ptrace access check may skip the expected dumpability safeguard, allowing an unprivileged local process to access file descriptors from an exiting privileged process.
Useful links
CloudLinux blog post: Linux Kernel ptrace Exit-race Vulnerability / ssh-keysign-pwn CVE-2026-46333 — Mitigation and Kernel Update on CloudLinux
Comments
0 comments
Please sign in to leave a comment.