On May 15, 2026, Greg Kroah-Hartman announced the release of Linux kernel 7.0.8. This is an important update for anyone using the 7.0 kernel series. While every new release brings fixes, this one is special because it stops a dangerous security hole known as ssh-keysign-pwn.
Table of Contents
What is the ssh-keysign-pwn Bug?
Security experts track this ssh-keysign-pwn flaw as CVE-2026-46333. It is a "local root" exploit, which means a regular user can use it to become the "root" superuser. The team at Qualys found the bug and reported it to the kernel developers.
Specifically, the problem lives in a function called ptrace_may_access(). This function is supposed to check if a user has permission to look at a running program. However, the kernel skips this check if the program is in the middle of closing down.
Recommended Read: Linus Torvalds Just Patched a 6-Year Old Major Linux “File Descriptor Theft” Vulnerability
How the Attack Works
The attack happens during a tiny split-second window when a program exits. At this moment, the program drops its memory but still keeps its files open for a brief time. Consequently, an attacker can use a tool called pidfd_getfd to "steal" those open files.
Because the kernel skips the security check during this window, the attacker can grab files that should be off-limits. For example, they can read SSH host keys or the system’s password file. Hackers have already released working code that proves this attack works reliably.
Who is at Risk?
If you run a server where many people have accounts, you should be very concerned. This includes:
- Multi-tenant hosts where different users share the same server.
- Container clusters like Kubernetes.
- CI/CD runners that handle code from many sources.
Every major Linux version built since 2017 might have this logic bug in its code. Distributions like AlmaLinux have already confirmed that versions 9 and 10 are vulnerable to the public attack tools.
How to Protect Your System
The best way to stay safe is to upgrade your kernel to version 7.0.8 immediately. Linus Torvalds pushed the fix on May 14, and Greg Kroah-Hartman included it in this new stable release.
If you use AlmaLinux, you can simply run a system update to get the patched kernels for versions 8, 9, and 10. These updates also include fixes for other recent bugs like Fragnesia.
A Quick Temporary Fix
If you cannot restart your server right now, you can use a temporary workaround. You can tighten a security setting called ptrace_scope. Use this command to block the known attack tools:
sudo sysctl -w kernel.yama.ptrace_scope=2
Setting this to 2 restricts certain actions to administrators only. While this helps, it is not a permanent fix. You must still install the new kernel and reboot your system as soon as possible to be fully safe.
