Table of contents
Executive Summary
A high-impact Linux kernel vulnerability, currently without a verified public CVE or CVSS score, was disclosed affecting kernels prior to commit 31e62c2e. The issue allows a local unprivileged attacker to steal file descriptors from privileged processes during a narrow exit window, potentially exposing root-only files such as SSH host private keys and /etc/shadow.
Vulnerability Details
The issue originates from ptrace access-control logic, where __ptrace_may_access() could skip the dumpability check when a target task no longer had an mm pointer. During process exit, the task may lose its memory descriptor before closing open file descriptors. By racing this state and abusing pidfd_getfd(), attackers can duplicate sensitive file descriptors from setuid-root helpers that opened privileged files before dropping privileges or exiting.
Why This Matters
This is not a remote, unauthenticated vulnerability. Exploitation requires local code execution on the affected Linux host. However, the impact is serious: stealing SSH host keys can enable host impersonation and undermine trust relationships, while access to /etc/shadow may allow offline password cracking and further privilege escalation.
Affected Systems and Proof of Concept (PoC)
The public PoC targets ssh-keysign to extract /etc/ssh/ssh_host_{ecdsa,ed25519,rsa}_key and change to read /etc/shadow. The repository claims successful testing on Raspberry Pi OS Bookworm 6.12.75, Debian 13, Ubuntu 22.04, Ubuntu 24.04, Ubuntu 26.04, Arch, and CentOS 9. Systems running Linux kernels before the upstream fix should be considered potentially exposed until their distribution ships and applies the relevant kernel update.
Recommended Mitigation
Users should upgrade to a kernel version that includes commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a or the corresponding vendor backport as soon as it becomes available. Because this is a kernel-level issue, mitigation should focus on patching the kernel, reducing local shell access, limiting untrusted workloads, and monitoring for suspicious attempts to access SSH host keys or shadow password data.
Exploitation Risk and Threat Outlook
At the time of writing, a working public PoC is available on GitHub, and the upstream Linux kernel fix has already landed. We could not verify. Regardless, the combination of public exploit code, sensitive file exposure, and broad Linux distribution impact makes this high risk, especially on multi-user systems, developer workstations, shared servers, CI runners, and cloud workloads where local code execution may be achievable through another weakness.
Potential Impact
Successful exploitation could allow attackers to steal SSH host private keys, obtain /etc/shadow for offline cracking, impersonate trusted hosts, escalate privileges, and expand access across infrastructure.
How can Orca help?
Orca enables customers to quickly identify assets running vulnerable kernel versions, understand their exposure in context, including internet accessibility, workload criticality, and whether affected assets are reachable or running sensitive workloads, and prioritize remediation based on real risk rather than CVSS alone. Orca’s platform highlights affected assets directly in the newItem view, helping security teams focus on the most critical remediation paths first.
Chat with an Orca Expert