Linux 7.0.8 and LTS Kernels Updated to Close ssh‑keysign‑pwn

The kernel community moved quickly after the public disclosure of ssh‑keysign‑pwn – a flaw that let an unprivileged user read files owned by root via a malformed ptrace interaction. The fix landed in Linus Torvalds’ mainline tree as a “slightly saner” implementation of get_dumpable(), and the first stable release containing the patch is Linux 7.0.8.

---

What the vulnerability did

ssh‑keysign is a helper binary used by OpenSSH when a user’s private key is stored in a hardware token. The binary runs set‑uid root and calls ptrace(PTRACE_ATTACH, …) on the calling process to verify its credentials. The original kernel logic allowed the tracer to read the traced process’s memory even when the traced process had set its dumpable flag to 0. By spawning a malicious helper that attached to a privileged ssh‑keysign instance, an attacker could pull arbitrary root‑owned data from memory and dump it to a file they owned.

The exploit does not grant code execution, but the ability to read /etc/shadow, private SSH keys, or other credential stores is enough to compromise a system.

---

Patch details

The patch tightens the relationship between a tracer and its tracee:

• get_dumpable() now returns 0 when the tracer lacks the CAP_SYS_PTRACE capability and the tracee has dumpable == 0.
• The check is performed early in the ptrace_attach path, preventing the attacker from slipping past the dumpable flag.
• A small audit added WARN_ON guards to catch unexpected state transitions during development builds.

The change is modest – roughly 30 lines of code – but it closes the only path that the ssh‑keysign‑pwn exploit needed.

---

Release roundup

Kernel	Release	Type	Key change
7.0.8	2026‑05‑15	Stable	ptrace get_dumpable() fix
6.18.31	2026‑05‑15	LTS	same security patch
6.12.89	2026‑05‑15	LTS	same security patch
6.6.139	2026‑05‑15	LTS	same security patch
6.1.173	2026‑05‑15	LTS	same security patch
5.15.207	2026‑05‑15	LTS	same security patch
5.10.256	2026‑05‑15	LTS	same security patch

All of the listed LTS kernels carry only this security update; no functional regressions were reported in the initial testing rounds. The kernel maintainers have posted the patches to the official Git trees:

• Linux 7.0.8 stable tarball
• Linux 6.18.31 LTS tarball
• …and equivalents for the older branches.

---

Impact on homelab builds

For anyone running OpenSSH with hardware‑token authentication (common on bastion hosts and VPN gateways), the fix is a must‑install. The patch does not affect performance – the extra capability check adds a few nanoseconds to ptrace calls, which are already rare in typical workloads.

Power consumption: unchanged. The kernel’s idle‑state handling remains identical.

Compatibility: the change is fully backward compatible with existing user‑space tools. No recompilation of ssh-keysign or OpenSSH is required; the binary will simply see the tightened security check.

Recommended upgrade path

1. Check your current kernel version with uname -r. Anything older than 6.18 will need an update.
2. Pull the appropriate package from your distribution’s security repo (most major distros have already back‑ported the patch).
3. Reboot to the new kernel and verify the version.
4. Run a quick sanity check: ssh -V && ssh-keysign -V should report no errors.

If you maintain custom kernels for edge devices, cherry‑pick the commit c3f9b2e8b9d2 (the ptrace fix) from the mainline tree and rebuild.

---

Looking ahead

The ssh‑keysign‑pwn episode underscores how a tiny logic error in a rarely‑used code path can expose privileged data. Kernel developers are now auditing other ptrace‑related helpers (gdbserver, strace) for similar edge‑case behavior. Expect a series of micro‑patches in the next few weeks aimed at hardening the tracer/tracee relationship across the board.

---

{{IMAGE:2}}

Stay tuned for follow‑up coverage as the community validates the patch across a wider set of hardware platforms.