Skip to content

0xBlackash/CVE-2026-46333

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
CVE-2026-46333-shadow.c
CVE-2026-46333-shadow.c
 
 
CVE-2026-46333.c
CVE-2026-46333.c
 
 
README.md
README.md
 
 

Repository files navigation

🚀 CVE-2026-46333 - ssh-keysign-pwn

ChatGPT Image May 17, 2026, 11_32_19 AM

High-quality Proof of Concept for the Linux kernel race condition vulnerability

Linux Kernel Exploit License

A clean and reliable proof-of-concept exploit for CVE-2026-46333 — Local information disclosure via race condition in the Linux kernel's process exit path.

🖼️ Screenshot

CVE-2026-46333

Successfully stealing SSH host private key and /etc/shadow on Kali Linux

📌 About the Vulnerability

CVE-2026-46333 (also known as ssh-keysign-pwn) is a race condition in the Linux kernel's ptrace and process exit logic (do_exit()exit_mm() before exit_files()).

When a privileged process (e.g. SUID ssh-keysign or chage) has mm == NULL during exit, the dumpability check is bypassed, allowing an unprivileged local attacker to use pidfd_getfd() to steal open file descriptors.

Impact:

  • Steal SSH host private keys (/etc/ssh/ssh_host_*_key)
  • Dump /etc/shadow
  • Potential for further attacks using stolen credentials

Discovered by: Qualys
Fixed in: Kernel commit 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a (May 2026)

✨ Features

  • Original clean code (not copied from existing repos)
  • High success rate
  • Two working exploits:
    • SSH Host Private Key Stealer
    • /etc/shadow Stealer via chage
  • Clean output with progress feedback
  • No external dependencies
  • Well commented

🛠️ Usage

1. Clone & Build

git clone https://github.com/0xBlackash/CVE-2026-46333.git
cd CVE-2026-46333

2. Run SSH Host Key Exploit

sudo ./CVE-2026-46333

3. Run Shadow File Exploit

sudo ./CVE-2026-46333-shadow

📂 Files

File Description
cve-2026-46333.c SSH host private keys stealer
cve-2026-46333-shadow.c /etc/shadow stealer via chage
README.md This file

📖 Example Output

SSH Key Stealer:

[+] SUCCESS! Stolen fd 3 -> /etc/ssh/ssh_host_ecdsa_key (round 0)
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAAB...

Shadow Stealer:

[+] SUCCESS! Stolen /etc/shadow (round 0)
root:*:19953:0:99999:7:::
kali:$y$j9T$zY1oKFxJlTgP2WcJhzbNl1$...

🛡️ Mitigation

  • Update your kernel to any version containing commit 31e62c2ebbfd...
  • Recommended: Use latest stable kernel from your distribution
  • Disable EnableSSHKeysign in sshd_config if not needed

⚠️ Legal Disclaimer

This exploit is for educational and security research purposes only.
Use it only on systems you own or have explicit written permission to test.
The author is not responsible for any misuse or damage.

⭐ Credits

  • Vulnerability: Qualys
  • PoC Development: Ashraf Zaryouh ""0xBlackash""
  • Original Research: Various kernel researchers

📜 License

This project is licensed under the MIT License — feel free to use, modify, and distribute.

Made with ❤️ for the security community

Keeping systems updated is the best defense.

About

CVE-2026-46333

Resources

Readme
Activity

Stars

31 stars

Watchers

0 watching

Forks

7 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages