Nine-Year-Old Linux Kernel Flaw Leaks SSH Keys and Password Hashes

The ptrace flaw uncovered by Qualys traces back to a narrow race condition in the kernel’s __ptrace_may_access() routine, first merged in November 2016. While the code itself appeared benign, the addition of the pidfd_getfd() system call in 2020 unintentionally widened the attack surface, allowing a process that is dropping its credentials to be intercepted and its open file descriptors harvested. This subtle timing window went unnoticed for nearly a decade, illustrating how legacy kernel paths can become exploitable as newer primitives are layered on top.

From a risk perspective, the vulnerability is more than a typical local privilege escalation. By siphoning SSH host private keys or the /etc/shadow hash, an attacker can impersonate services, decrypt traffic, and pivot to full root control without triggering traditional detection mechanisms. The CVSS base score of 5.5 understates the real‑world impact because the disclosed credentials alone are sufficient to compromise the entire host, especially in multi‑tenant cloud instances, shared hosting platforms, and CI/CD runners where unprivileged shells are commonplace. The rapid development of four functional exploits underscores the ease with which threat actors can weaponize this flaw.

Mitigation now hinges on swift kernel updates from Debian, Fedora and Ubuntu, which already incorporate the upstream fix. As an interim safeguard, administrators can raise the sysctl parameter kernel.yama.ptrace_scope to 2, effectively restricting ptrace to processes with CAP_SYS_PTRACE and blocking the exploit chain, albeit at the cost of disabling unprivileged debugging. This incident reinforces the need for continuous kernel hardening, regular patch cycles, and vigilant monitoring of emerging Linux LPE trends to protect critical infrastructure.