Table of Contents
Quick Summary
- The Linux kernel contained a logic flaw that allowed unprivileged users to "steal" file descriptors for root-protected files, such as SSH private keys and the
/etc/shadowfile. - By exploiting a brief timing window during a process's exit, after its memory is cleared but before its files are closed, an attacker can use the
pidfd_getfdsyscall to bypass security checks that normally protect sensitive SUID processes. - While this specific "FD-theft" design flaw was explicitly flagged by a security researcher in October 2020, it remained unpatched in the stable Linux kernel for approximately six years. Additionally, the specific coding pattern in the ssh-keysign utility that allows it to be used as a target for this exploit has remained unchanged since 2002.
FD-Theft Exploit: The 6 Year Linux Kernel Bug
A new security patch just released for the Linux kernel. This isn't a typical headline-grabbing "instant root" exploit. Instead, it's a clever "File Descriptor (FD) Theft" vulnerability that has been part of the kernel's design for 6 years.
Linus Torvalds recently pushed a fix for a logic error in how the kernel handles exiting processes. While the patch is now official, the story behind how this bug works, and how long it stayed hidden, is a fascinating look into kernel internals.
What Exactly is the File Descriptor (FD) Theft Vulnerability?
Most Linux security news focuses on "Privilege Escalation", where a user becomes root. This bug is different. It's a file access exploit.
FD-Theft (File Descriptor Theft) refers to the process of an attacker "stealing" or duplicating active file descriptors from a privileged process while it is in the middle of exiting. This technique allows an unprivileged user to gain access to sensitive files that were opened while the target process still possessed root authority.
An attacker can use this flaw to "steal" active links to sensitive files, like SSH private keys or the /etc/shadow password file, while a privileged program is trying to close them.
If an attacker grabs your shadow file, they can take the password hashes and crack them offline to eventually get full root access.
The Security Window in the Kernel
To understand this fd-theft bug, you have to look at how a program exits. When a program finishes, the Linux kernel cleans up its resources in a specific order. This vulnerability exploits a tiny timing gap in that sequence:
- Memory is wiped first (
exit_mm): The kernel clears the program's memory. - The Check Fails: Normally, the kernel protects root-owned programs from being poked by regular users. This is called a "dumpable" check. But for years, the kernel had a "fail open" policy: if the memory was already gone, the kernel assumed the program was safe to access.
- Files stay open for a split second (
exit_files): Even though the memory is gone, the program’s files aren't closed yet.
During this tiny window, an attacker can use a tool called pidfd_getfd to duplicate those open files. Since the program originally opened those files with root power, the attacker gets a working copy of them.
Real-World Targets: ssh-keysign and chage
This attack targets a very specific "shape" of program. It needs a root-owned tool that opens a sensitive file, drops its privileges to a regular user, and then exits.
ssh-keysign: This tool opens SSH host private keys. Because of this bug, an attacker can capture the key and then masquerade as your server to other users.chage: This tool manages user passwords and opens/etc/shadow. An attacker can "race" the program as it closes to steal your password hashes.
Surprisingly, the code in ssh-keysign that makes this possible has been exactly the same since 2002. Security researcher Jann Horn even warned about this design flaw back in October 2020, calling the kernel’s logic "dubious from a security perspective".
If you want to test this exploit, check the ssh-keysign-pwn repository hosted in GitHub. It provides the necessary code to demonstrate the vulnerability on kernels released before May 14, 2026.
Linus Torvalds Released a New Patch to Fix the Flaw
Linus Torvalds’ new patch, identified as Commit 31e62c2ebbfd, introduces what he calls a "slightly saner" logic.
Instead of the kernel "forgetting" a program’s security status the moment its memory is wiped, the kernel now uses a cached flag called user_dumpable.
This flag remembers if the program was protected while it was still alive. Now, if an attacker tries to grab a file descriptor during that exit window, the kernel sees the cached flag and blocks the access unless the user has high-level CAP_SYS_PTRACE privileges.
Affected Linux Systems
The vulnerability affects almost every major Linux distribution running a kernel released before May 14, 2026. Confirmed affected versions include:
- Ubuntu (22.04, 24.04, 26.04)
- Debian 13
- Arch Linux
- CentOS 9
- Raspberry Pi OS (Bookworm)
Fix the FD-Theft Exploit
Update your kernel as soon as your distribution provides the latest security patch. Once you are on a version that includes the Torvalds fix, that "security window" will be closed for good.
Suggested Read:
