home.social

#sshkeysignpwn — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #sshkeysignpwn, aggregated by home.social.

  1. EVERYONE GETS AN LPE

    Windows:
    #BlueHammer (#CVE_2026_33825)
    #RedSun (#CVE_2026_41091)
    #UnDefend (#CVE_2026_45498)
    #WindowsInstaller (#CVE_2026_27910):

    Linux:
    #CopyFail (#CVE_2026_31431)
    #SSHKeysignPwn (#CVE_2026_46333)

    FreeBSD:
    #FatGid (#CVE_2026_45250)
    #ExecveBug (#CVE_2026_7270)

  2. EVERYONE GETS AN LPE

    Windows:
    #BlueHammer (#CVE_2026_33825)
    #RedSun (#CVE_2026_41091)
    #UnDefend (#CVE_2026_45498)
    #WindowsInstaller (#CVE_2026_27910):

    Linux:
    #CopyFail (#CVE_2026_31431)
    #SSHKeysignPwn (#CVE_2026_46333)

    FreeBSD:
    #FatGid (#CVE_2026_45250)
    #ExecveBug (#CVE_2026_7270)

  3. EVERYONE GETS AN LPE

    Windows:
    #BlueHammer (#CVE_2026_33825)
    #RedSun (#CVE_2026_41091)
    #UnDefend (#CVE_2026_45498)
    #WindowsInstaller (#CVE_2026_27910):

    Linux:
    #CopyFail (#CVE_2026_31431)
    #SSHKeysignPwn (#CVE_2026_46333)

    FreeBSD:
    #FatGid (#CVE_2026_45250)
    #ExecveBug (#CVE_2026_7270)

  4. EVERYONE GETS AN LPE

    Windows:
    #BlueHammer (#CVE_2026_33825)
    #RedSun (#CVE_2026_41091)
    #UnDefend (#CVE_2026_45498)
    #WindowsInstaller (#CVE_2026_27910):

    Linux:
    #CopyFail (#CVE_2026_31431)
    #SSHKeysignPwn (#CVE_2026_46333)

    FreeBSD:
    #FatGid (#CVE_2026_45250)
    #ExecveBug (#CVE_2026_7270)

  5. EVERYONE GETS AN LPE

    Windows:
    #BlueHammer (#CVE_2026_33825)
    #RedSun (#CVE_2026_41091)
    #UnDefend (#CVE_2026_45498)
    #WindowsInstaller (#CVE_2026_27910):

    Linux:
    #CopyFail (#CVE_2026_31431)
    #SSHKeysignPwn (#CVE_2026_46333)

    FreeBSD:
    #FatGid (#CVE_2026_45250)
    #ExecveBug (#CVE_2026_7270)

  6. #Ubuntu still doesn't have a patch or even a security notice for #sshkeysignpwn ...

    How is this everyone else has been patched for days!

    #Debian had a fix Friday morning...#DomumSocial is running on Debian, but in my day job I'm stuck with Ubuntu.

    If you're also stuck with Ubuntu there is a mitigation:

    `sudo sysctl -w kernel.yama.ptrace_scope=3`

    I've tested this against the know exploit code at github.com/0xdeadbeefnetwork/s

    This will disable the vulnerable ptrace call until the next reboot

    Seeking confirmation of my theory I was able to find:
    almalinux.org/blog/2026-05-15-

    you can also set "yama.ptrace_scope" to "2" which will only allow root to use ptrace (and will also allow resetting it w/o reboot). The link above has more explanations and directions for setting it persistently across reboot for now.

    This will break `strace` and `gdb`!

    #Linux #sysadmin #security

  7. #Ubuntu still doesn't have a patch or even a security notice for #sshkeysignpwn ...

    How is this everyone else has been patched for days!

    #Debian had a fix Friday morning...#DomumSocial is running on Debian, but in my day job I'm stuck with Ubuntu.

    If you're also stuck with Ubuntu there is a mitigation:

    `sudo sysctl -w kernel.yama.ptrace_scope=3`

    I've tested this against the know exploit code at github.com/0xdeadbeefnetwork/s

    This will disable the vulnerable ptrace call until the next reboot

    Seeking confirmation of my theory I was able to find:
    almalinux.org/blog/2026-05-15-

    you can also set "yama.ptrace_scope" to "2" which will only allow root to use ptrace (and will also allow resetting it w/o reboot). The link above has more explanations and directions for setting it persistently across reboot for now.

    This will break `strace` and `gdb`!

    #Linux #sysadmin #security

  8. 🚨 CVE-2026-46333 (ssh-keysign-pwn)

    In the Linux kernel, the following vulnerability has been resolved:

    ptrace: slightly saner 'get_dumpable()' logic

    The 'dumpability' of a task is fundamentally about the memory image of
    the task - the concept comes from whether it can core dump or not - and
    makes no sense when you don't have an associated mm.

    And almost all users do in fact use it only for the case where the task
    has a mm pointer.

    But we have one odd special case: ptrace_may_access() uses 'dumpable' to
    check various other things entirely independently of the MM (typically
    explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for
    threads that no longer have a VM (and maybe never did, like most kernel
    threads).

    It's not what this flag was designed for, but it is what it is.

    The ptrace code does check that the uid/gid matches, so you do have to
    be uid-0 to see kernel thread details, but this means that the
    traditional "drop capabilities" model doesn't make any difference for
    this all.

    Make it all make a bit more sense by saying that if you don't have a
    MM pointer, we'll use a cached "last dumpability" flag if the thread
    ever had a MM (it will be zero for kernel threads since it is never
    set), and require a proper CAP_SYS_PTRACE capability to override.

    ℹ️ Additional info on ZEN SecDB secdb.nttzen.cloud/cve/detail/

    #nttdata #zen #secdb #infosec
    #sshkeysignpwn #cve202646333 #linux #kernel

  9. 🚨 CVE-2026-46333 (ssh-keysign-pwn)

    In the Linux kernel, the following vulnerability has been resolved:

    ptrace: slightly saner 'get_dumpable()' logic

    The 'dumpability' of a task is fundamentally about the memory image of
    the task - the concept comes from whether it can core dump or not - and
    makes no sense when you don't have an associated mm.

    And almost all users do in fact use it only for the case where the task
    has a mm pointer.

    But we have one odd special case: ptrace_may_access() uses 'dumpable' to
    check various other things entirely independently of the MM (typically
    explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for
    threads that no longer have a VM (and maybe never did, like most kernel
    threads).

    It's not what this flag was designed for, but it is what it is.

    The ptrace code does check that the uid/gid matches, so you do have to
    be uid-0 to see kernel thread details, but this means that the
    traditional "drop capabilities" model doesn't make any difference for
    this all.

    Make it all make a bit more sense by saying that if you don't have a
    MM pointer, we'll use a cached "last dumpability" flag if the thread
    ever had a MM (it will be zero for kernel threads since it is never
    set), and require a proper CAP_SYS_PTRACE capability to override.

    ℹ️ Additional info on ZEN SecDB secdb.nttzen.cloud/cve/detail/

    #nttdata #zen #secdb #infosec
    #sshkeysignpwn #cve202646333 #linux #kernel

  10. 🚨 CVE-2026-46333 (ssh-keysign-pwn)

    In the Linux kernel, the following vulnerability has been resolved:

    ptrace: slightly saner 'get_dumpable()' logic

    The 'dumpability' of a task is fundamentally about the memory image of
    the task - the concept comes from whether it can core dump or not - and
    makes no sense when you don't have an associated mm.

    And almost all users do in fact use it only for the case where the task
    has a mm pointer.

    But we have one odd special case: ptrace_may_access() uses 'dumpable' to
    check various other things entirely independently of the MM (typically
    explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for
    threads that no longer have a VM (and maybe never did, like most kernel
    threads).

    It's not what this flag was designed for, but it is what it is.

    The ptrace code does check that the uid/gid matches, so you do have to
    be uid-0 to see kernel thread details, but this means that the
    traditional "drop capabilities" model doesn't make any difference for
    this all.

    Make it all make a bit more sense by saying that if you don't have a
    MM pointer, we'll use a cached "last dumpability" flag if the thread
    ever had a MM (it will be zero for kernel threads since it is never
    set), and require a proper CAP_SYS_PTRACE capability to override.

    ℹ️ Additional info on ZEN SecDB secdb.nttzen.cloud/cve/detail/

    #nttdata #zen #secdb #infosec
    #sshkeysignpwn #cve202646333 #linux #kernel

  11. Ohne neue Linux-Root-Lücke wegen der das RZ die Häflte der Server abstellt, ist es inzwischen ja sonst auch gar kein richtiges Wochenende mehr.

    #sshkeysignpwn

  12. Ohne neue Linux-Root-Lücke wegen der das RZ die Häflte der Server abstellt, ist es inzwischen ja sonst auch gar kein richtiges Wochenende mehr.

    #sshkeysignpwn

  13. Ohne neue Linux-Root-Lücke wegen der das RZ die Häflte der Server abstellt, ist es inzwischen ja sonst auch gar kein richtiges Wochenende mehr.

    #sshkeysignpwn

  14. Ohne neue Linux-Root-Lücke wegen der das RZ die Häflte der Server abstellt, ist es inzwischen ja sonst auch gar kein richtiges Wochenende mehr.

    #sshkeysignpwn

  15. Ohne neue Linux-Root-Lücke wegen der das RZ die Häflte der Server abstellt, ist es inzwischen ja sonst auch gar kein richtiges Wochenende mehr.

    #sshkeysignpwn

  16. Nous avons décidé d'appliquer (sur les Debian 7 à 13) le patch qui configure le sysctl "kernel.yama.ptrace_scope=2", en utilisant Ansible avec cette tâche : paste.evolix.org/?76d737e7693e #sshkeysignpwn #linux #debian #cybersecurity

  17. Nous avons décidé d'appliquer (sur les Debian 7 à 13) le patch qui configure le sysctl "kernel.yama.ptrace_scope=2", en utilisant Ansible avec cette tâche : paste.evolix.org/?76d737e7693e #sshkeysignpwn #linux #debian #cybersecurity

  18. Nous avons décidé d'appliquer (sur les Debian 7 à 13) le patch qui configure le sysctl "kernel.yama.ptrace_scope=2", en utilisant Ansible avec cette tâche : paste.evolix.org/?76d737e7693e #sshkeysignpwn #linux #debian #cybersecurity

  19. C’était sans compter une nouvelle faille dans le noyau Linux 😥 #sshkeysignpwn

  20. C’était sans compter une nouvelle faille dans le noyau Linux 😥 #sshkeysignpwn

  21. C’était sans compter une nouvelle faille dans le noyau Linux 😥 #sshkeysignpwn

  22. C’était sans compter une nouvelle faille dans le noyau Linux 😥 #sshkeysignpwn

  23. Newest Linux kernel vulnerability mitigation:
    # echo 2 > /proc/sys/kernel/yama/ptrace_scope
    # echo 'kernel.yama.ptrace_scope=2' > /etc/sysctl.d/ssh-keysign-pwn.conf

    On all deb systems you can install linux-vulnerability-mitigation from people.debian.org/~daniel/linu

    Source: forgejo.debian.net/linux/linux

  24. Newest Linux kernel vulnerability mitigation:
    # echo 2 > /proc/sys/kernel/yama/ptrace_scope
    # echo 'kernel.yama.ptrace_scope=2' > /etc/sysctl.d/ssh-keysign-pwn.conf

    On all deb systems you can install linux-vulnerability-mitigation from people.debian.org/~daniel/linu

    Source: forgejo.debian.net/linux/linux

    #Linux #debian #Ubuntu #kernel #security #mitigation #sshkeysignpwn

  25. Newest Linux kernel vulnerability mitigation:
    # echo 2 > /proc/sys/kernel/yama/ptrace_scope
    # echo 'kernel.yama.ptrace_scope=2' > /etc/sysctl.d/ssh-keysign-pwn.conf

    On all deb systems you can install linux-vulnerability-mitigation from people.debian.org/~daniel/linu

    Source: forgejo.debian.net/linux/linux

    #Linux #debian #Ubuntu #kernel #security #mitigation #sshkeysignpwn

  26. Newest Linux kernel vulnerability mitigation:
    # echo 2 > /proc/sys/kernel/yama/ptrace_scope
    # echo 'kernel.yama.ptrace_scope=2' > /etc/sysctl.d/ssh-keysign-pwn.conf

    On all deb systems you can install linux-vulnerability-mitigation from people.debian.org/~daniel/linu

    Source: forgejo.debian.net/linux/linux

    #Linux #debian #Ubuntu #kernel #security #mitigation #sshkeysignpwn

  27. Newest Linux kernel vulnerability mitigation:
    # echo 2 > /proc/sys/kernel/yama/ptrace_scope
    # echo 'kernel.yama.ptrace_scope=2' > /etc/sysctl.d/ssh-keysign-pwn.conf

    On all deb systems you can install linux-vulnerability-mitigation from people.debian.org/~daniel/linu

    Source: forgejo.debian.net/linux/linux

    #Linux #debian #Ubuntu #kernel #security #mitigation #sshkeysignpwn

  28. ⚠️ 🤪 🔥 :nes_fire:
    Nouvelle vuln kernel Linux aujourd'hui : ssh-keysign-pwn 🔑

    Pas une LPE cette fois, mais lecture de fichiers root en user non-privilégié :
    • Clés privées SSH host (ecdsa/ed25519/rsa)
    • /etc/shadow → crack offline

    Le bug : ptrace_may_access() saute le check dumpable quand mm=NULL. Race window entre exit_mm() et exit_files(). Flaggé par Jann Horn en 2020... corrigé en 2026. 6 ans.

    Confirmé sur : Debian 13, Ubuntu 22/24/26, Arch, CentOS, RPi OS. Pas de prérequis CONFIG spécifique donc cela semblerait bien plus universel que Fragnesia.

    Patch mergé dans mainline par Linus aujourd'hui (31e62c2ebbfd), pas encore dans les kernels stables.
    Pas de CVE assigné à ce stade.
    👇
    github.com/0xdeadbeefnetwork/s

    "Six-Year-Old Linux Kernel Flaw Lets Unprivileged Users Read Root-Owned Files
    "
    ⬇️
    9to5linux.com/six-year-old-lin

    #cyberVeille #Linux #sshkeysignpwn

  29. ⚠️ 🤪 🔥 :nes_fire:
    Nouvelle vuln kernel Linux aujourd'hui : ssh-keysign-pwn 🔑

    Pas une LPE cette fois, mais lecture de fichiers root en user non-privilégié :
    • Clés privées SSH host (ecdsa/ed25519/rsa)
    • /etc/shadow → crack offline

    Le bug : ptrace_may_access() saute le check dumpable quand mm=NULL. Race window entre exit_mm() et exit_files(). Flaggé par Jann Horn en 2020... corrigé en 2026. 6 ans.

    Confirmé sur : Debian 13, Ubuntu 22/24/26, Arch, CentOS, RPi OS. Pas de prérequis CONFIG spécifique donc cela semblerait bien plus universel que Fragnesia.

    Patch mergé dans mainline par Linus aujourd'hui (31e62c2ebbfd), pas encore dans les kernels stables.
    Pas de CVE assigné à ce stade.
    👇
    github.com/0xdeadbeefnetwork/s

    "Six-Year-Old Linux Kernel Flaw Lets Unprivileged Users Read Root-Owned Files
    "
    ⬇️
    9to5linux.com/six-year-old-lin

    #cyberVeille #Linux #sshkeysignpwn

  30. ⚠️ 🤪 🔥 :nes_fire:
    Nouvelle vuln kernel Linux aujourd'hui : ssh-keysign-pwn 🔑

    Pas une LPE cette fois, mais lecture de fichiers root en user non-privilégié :
    • Clés privées SSH host (ecdsa/ed25519/rsa)
    • /etc/shadow → crack offline

    Le bug : ptrace_may_access() saute le check dumpable quand mm=NULL. Race window entre exit_mm() et exit_files(). Flaggé par Jann Horn en 2020... corrigé en 2026. 6 ans.

    Confirmé sur : Debian 13, Ubuntu 22/24/26, Arch, CentOS, RPi OS. Pas de prérequis CONFIG spécifique donc cela semblerait bien plus universel que Fragnesia.

    Patch mergé dans mainline par Linus aujourd'hui (31e62c2ebbfd), pas encore dans les kernels stables.
    Pas de CVE assigné à ce stade.
    👇
    github.com/0xdeadbeefnetwork/s

    "Six-Year-Old Linux Kernel Flaw Lets Unprivileged Users Read Root-Owned Files
    "
    ⬇️
    9to5linux.com/six-year-old-lin

    #cyberVeille #Linux #sshkeysignpwn

  31. ⚠️ 🤪 🔥 :nes_fire:
    Nouvelle vuln kernel Linux aujourd'hui : ssh-keysign-pwn 🔑

    Pas une LPE cette fois, mais lecture de fichiers root en user non-privilégié :
    • Clés privées SSH host (ecdsa/ed25519/rsa)
    • /etc/shadow → crack offline

    Le bug : ptrace_may_access() saute le check dumpable quand mm=NULL. Race window entre exit_mm() et exit_files(). Flaggé par Jann Horn en 2020... corrigé en 2026. 6 ans.

    Confirmé sur : Debian 13, Ubuntu 22/24/26, Arch, CentOS, RPi OS. Pas de prérequis CONFIG spécifique donc cela semblerait bien plus universel que Fragnesia.

    Patch mergé dans mainline par Linus aujourd'hui (31e62c2ebbfd), pas encore dans les kernels stables.
    Pas de CVE assigné à ce stade.
    👇
    github.com/0xdeadbeefnetwork/s

    "Six-Year-Old Linux Kernel Flaw Lets Unprivileged Users Read Root-Owned Files
    "
    ⬇️
    9to5linux.com/six-year-old-lin

    #cyberVeille #Linux #sshkeysignpwn

  32. ⚠️ 🤪 🔥 :nes_fire:
    Nouvelle vuln kernel Linux aujourd'hui : ssh-keysign-pwn 🔑

    Pas une LPE cette fois, mais lecture de fichiers root en user non-privilégié :
    • Clés privées SSH host (ecdsa/ed25519/rsa)
    • /etc/shadow → crack offline

    Le bug : ptrace_may_access() saute le check dumpable quand mm=NULL. Race window entre exit_mm() et exit_files(). Flaggé par Jann Horn en 2020... corrigé en 2026. 6 ans.

    Confirmé sur : Debian 13, Ubuntu 22/24/26, Arch, CentOS, RPi OS. Pas de prérequis CONFIG spécifique donc cela semblerait bien plus universel que Fragnesia.

    Patch mergé dans mainline par Linus aujourd'hui (31e62c2ebbfd), pas encore dans les kernels stables.
    Pas de CVE assigné à ce stade.
    👇
    github.com/0xdeadbeefnetwork/s

    "Six-Year-Old Linux Kernel Flaw Lets Unprivileged Users Read Root-Owned Files
    "
    ⬇️
    9to5linux.com/six-year-old-lin

    #cyberVeille #Linux #sshkeysignpwn

  33. Oh no, please don't tell me again that Linux is now insecure on the net?!

    «Linux's Latest Vulnerability Allows Reading Root-Owned Files By Unprivileged Users»

    ⛓️‍💥 phoronix.com/news/Linux-ssh-ke
    ⛓️‍💥 github.com/0xdeadbeefnetwork/s

    #sshkeysignpwn #pwn #ssh #linux #0day #keysigning #sshkeys #itsecurity #itsec #itsecurity #zeroday

  34. Oh no, please don't tell me again that Linux is now insecure on the net?!

    «Linux's Latest Vulnerability Allows Reading Root-Owned Files By Unprivileged Users»

    ⛓️‍💥 phoronix.com/news/Linux-ssh-ke
    ⛓️‍💥 github.com/0xdeadbeefnetwork/s

    #sshkeysignpwn #pwn #ssh #linux #0day #keysigning #sshkeys #itsecurity #itsec #itsecurity #zeroday

  35. Oh no, please don't tell me again that Linux is now insecure on the net?!

    «Linux's Latest Vulnerability Allows Reading Root-Owned Files By Unprivileged Users»

    ⛓️‍💥 phoronix.com/news/Linux-ssh-ke
    ⛓️‍💥 github.com/0xdeadbeefnetwork/s

    #sshkeysignpwn #pwn #ssh #linux #0day #keysigning #sshkeys #itsecurity #itsec #itsecurity #zeroday