There is a FOURTH vulnerability this month....ssh-keysign-pwn (CVE-2026-46333)
Posted by unixbhaskar@reddit | linux | View on Reddit | 124 comments
Posted by unixbhaskar@reddit | linux | View on Reddit | 124 comments
No-Temperature7637@reddit
what's the mitigation for it? the other 3 was pretty clear.
CrazyKilla15@reddit
Per Qualys on oss-security
Set
/proc/sys/kernel/yama/ptrace_scopeto 2 (admin-only attach) or 3 (no attach)No-Temperature7637@reddit
thanks for the info. It was like speaking a language i don't know so after researching a bit, i got this info. I hope below is correct, cause i'm gonna test it.
To set
ptrace_scopeto2, use these two commands:sudo sysctl -w kernel.yama.ptrace_scope=2echo 'kernel.yama.ptrace_scope = 2' | sudo tee -a /etc/sysctl.d/99-ptrace-scope.confThe first command sets the value right away. The second command appends the setting to a configuration file in
/etc/sysctl.d/, ensuring it's applied every time the system starts.funforgiven@reddit
It is correct. If you use tee -a instead of tee, and if you run this multiple times, it will duplicate the same entry but it is not really a problem, just a little messy.
Darrel-Yurychuk@reddit
The recent increase in critical security vulnerabilities is a consequence of LLMs being able to comb the source code for undiscovered vulnerabilities, many that have existed for a long time.
This is happening with most major open source source software (and probably with closed source software as well but perhaps more behind the scenes) and it does not mean that the Linux kernel, or any of these other software projects, have suddenly become more insecure.
It is a good thing that they are being discovered in this way, and after some time the frequency that they are being reported will once again drop down to what is usually seen.
Responsible-Bread996@reddit
I was thinking it’s weird that MS vulnerabilities haven’t been showing up like this.
McDonaldsWitchcraft@reddit
since when is windows open source
hjake123@reddit
...though it'd be much better if the ai users would disclose these issues to the kernel devs at least a few weeks before they shout the bug from the rooftops for the world to exploit
amadmongoose@reddit
At least the 3 that i saw the disclosures happened months ago and it's only becoming public now because the SOP for disclosure is to put a time limit for kernel maintainers to fix as a forcing function to prevent the bugs from being ignored
McDonaldsWitchcraft@reddit
copyfail didn't disclose it to the distros so the distros weren't notified to implement a fix.
CrazyKilla15@reddit
They usually are. The primary function of embargos is to force bugs to be patched, specifically by the concept of an end of embargo where you just release it, fixed or not. They exist because it used to be(and for many companies still is..) that you would report a securty issue and they simply ignore it, "security through obscurity".
Embargos exist as a forcing function, in enterprise often 90 days, and as a good faith communication effort, theyre saying "I am doing the courtesy of telling you about this issue. You have plenty of time, 90 days, to fix this, and I may be able to help. But if you dont fix it promptly, everyones going to know. In exceptional circumstances and conditional on your good faith this can be increased, but you cant just put security off forever"
This is also why many, including the kernel, work to reduce embargo periods. The kernel only accepts embargos up to 7 days, or hard maximum 14 days in exceptional circumstances, for example.
What they dont exist for is to ensure downstream forks(in the context of the kernel, all the distros that dont roll, either on a upstream stable or upstream LTS) bother to get patches, or prevent others from exploiting an issue, because thats just "security through obscurity" again. It must be assumed that Threat Actors(TA) have just as much, if not more, capability to find and use these exploits as those reporting them, and the TA's arent trying to get them fixed.
Jmc_da_boss@reddit
They are generally, but an LLM can reverse engineer the exploit the moment the patch fix hits.
Responsible disclosure relied previously on it taking time to reverse engineer patches. That time is now minutes so disclosure is basically dead
Ok-Winner-6589@reddit
People doing these report the vulnerabilities and aren't just random ai bros
ComprehensiveHawk5@reddit
Isnt this what's attempted but people(with ai) have been able to just comb through recent commits to find ones that are for fixing vulnerabilities?
TU4AR@reddit
I would imagine that most devs would read "hey my ai buddy" and just stop there.
bobthebobbest@reddit
> it does not necessarily mean that the Linux kernel, or any of these other software projects, have suddenly become more insecure.
Except in the sense that if someone wants to find and exploit an insecurity, they can go looking in a similar fashion.
0riginal-Syn@reddit
Fun times for maintainers, playing whack-a-mole with all these kernel patches.
Great-TeacherOnizuka@reddit
Wasn’t it always like that? Just less frequent
McDonaldsWitchcraft@reddit
But they weren't always publicly announced in the most irresponsible way possible. Look at copyfail, they didn't even notify distros to patch it before going public.
The issue is that now everyone can be a "security researcher" with a claude subscription, so they skip the part where you learn how to do it responsibly.
catcint0s@reddit
Yes, but https://zerodayclock.com/
0riginal-Syn@reddit
The frequency is the problem, and if it is security, you cannot just skip it. Being a maintainer on a rolling distro, we do update a bit more often, although not as frequently as Arch, but this is way more than that. This also hits the LTS kernel maintainers hard as well.
Bubbly_Extreme4986@reddit
Might be time to jump ship to the Hurd
Great-TeacherOnizuka@reddit
Just use TempleOS
0riginal-Syn@reddit
Bless you my child
0riginal-Syn@reddit
I remember back in the early days of GNU/Linux, some developers I worked with figured Linux wouldn't last and truly believed Hurd was the future and would take over soon.
Bubbly_Extreme4986@reddit
Hopefully it does. I’ve done some light reading on it and it seems conceptually superior. However I also want it to remain a GNU project and 100% free as in freedom FSF approved software. I understand that these are often incompatible goals. However an originally libre project is superior than a modified-to-be-libre project.
Business_Reindeer910@reddit
You can find plenty of criticisms of Hurd's specific microkernel approach. IMO the redox folks are going in a better direction, but it is not going to be FSF approved.
Fr0gm4n@reddit
There's always macOS and variants to show the commercial viability of a hybrid based on Hurd: https://en.wikipedia.org/wiki/XNU
Business_Reindeer910@reddit
that is not hurd.
Bubbly_Extreme4986@reddit
Well that is kind of an important qualification for me. I don’t think that the current technology hellscape is suitable to include corporate non free software on my computer
Business_Reindeer910@reddit
it is neither of those things.
0riginal-Syn@reddit
I think having a truly functional Hurd kernel for general use would be wonderful. There are indeed some great concepts. The problem has always been the development and getting it to the proper place. It just has not been a smooth or cohesive process. It has been a minute since those days, considering this was back in the early 90s.
arf20__@reddit
Or Debian GNU/kFreeBSD
SolDirix@reddit
Props to the maintainers.
acdcfanbill@reddit
wait, what was the 3rd, i remember copy fail and dirty frag...
Bubbly_Extreme4986@reddit
Fragnesia or something
spearmint_wino@reddit
There's literally a malware marketing department where man-bun unicyclists tap out hip new names for vulns on their Remington typewriters while sipping double decaf cinnamon lattes.l and miming high-fiving eachother.
lelddit97@reddit
Close. It wasn't decaf.
While decaffing has improved a lot over the years, it still removes some of the magical coffee essence that I pay $69/lb for.
CaptOblivious@reddit
Ya, that's called caffeine.
Fr0gm4n@reddit
https://www.youtube.com/watch?v=_QTHfrXHo9M
Crashman09@reddit
Hey, I'll have you know that I do NOT wear my hair up in a man bun whilst riding my unicycle because it won't fit under my helmet.
I wear it in a ponytail with the helmet.
The man bun is for when I'm ready for business and a pony tail makes me look unserious.
Kelvin62@reddit
There are literally interests who do not want to see Linux becoming the dominant desktop os. In time we will see confirmation that people with deep pockets are behind this.
za72@reddit
how much more time?
crshbndct@reddit
Meanwhile windows has just had fde cracked
Bubbly_Extreme4986@reddit
Wtf did I just read
Mr_Lumbergh@reddit
Average Tuesday techbro journaling.
Jacosci@reddit
/r/brandnewsentence
johnpharrell@reddit
Haha, thanks for this.
we_are_mammals@reddit
Somebody feed this line into the SuperGrok video generator!
PigSlam@reddit
I want to be in that room so badly.
Glittering_Abies4915@reddit
Yes, Fragnesia
calm_hedgehog@reddit
Same type, we're GO
ssynths@reddit
and a fragnesia variant
acdcfanbill@reddit
Ahh ok, thanks!
CoronaMcFarm@reddit
Something in the same category as the other ones, they are all possible Privilege escalation attack. It doesn't really affect normal users that much.
acdcfanbill@reddit
Well, I have regular users on my HPC systems so I want to put mitigations in place until I can get patched kernels on the machines.
throwaway234f32423df@reddit
if they're people you know IRL the best mitigation is threatening to punch them
acdcfanbill@reddit
thanks reddit, i'm sure i didn't wanna read that comment anyway...
CoronaMcFarm@reddit
I think fragnesia was the third one.
acdcfanbill@reddit
Thanks, looks like the dirty frag mitigations cover it so I should be good.
bapfelbaum@reddit
Fragnesia which relied on the same exploit path as dirtyfrag so probably should not classify as truly unique but media did make a scandal out of it nontheless.
silenceimpaired@reddit
Doing their best to make Linux look less secure than Windows.
ApprehensiveDelay238@reddit
It's doing quite the contrary. The more of these we see the more secure Linux gets.
Omen_20@reddit
All users will see are the headlines and will think Linux must be amateur hour while the big corporation has all the experts. The average user doesn't know that Linux is used by those experts on all the servers, including ones run by Microsoft.
Open source had the advantage originally because of the masses that could audit code instead of just a closed group of reviewers. Now that AI scanning can outrun any large group of auditors, it nullifies the advantage open source once had. All we're left with is public disclosure while Microsoft can quietly fill holes.
7lhz9x6k8emmd7c8@reddit
I think Microsoft runs AI to look for vulnerabilities on Windows too. They quietly patch the never disclosed vulnarabilities.
kombiwombi@reddit
It's mostly look. There is a split in incentives for Linux v Windows. The outcome is that for Linux it makes more money to disclose and use it to promote your business, Windows it makes money to sell it on the dark web.
VexingRaven@reddit
Huh? There are loads of critical systems running Linux, the exact same incentives exist here.
kombiwombi@reddit
The costs of finding the bug differ, for this analysis people pay for access to the Windows source code. So they have costs to recover, and have already dirtied their hands.
VexingRaven@reddit
The vast majority of security researchers do not have access to the Windows source code.
kombiwombi@reddit
The context of this post is LLM driven bugs.
VexingRaven@reddit
Yes, and in that context Microsoft is running it on their own hardware through their partnership with Anthropic. Nobody's paying for source code access to run an LLM on it.
hypespud@reddit
Isn't it better to find and patch vulnerabilities?
If it's from a private company they can just tell us whenever they feel like it, or stop using it for their own purposes lol
Dramatic_Mastodon_93@reddit
Why wouldn't they just inform the maintainers so that they can fix it before the entire world finds out about it?
Business_Reindeer910@reddit
that is what has mostly been happening forever. But there's a problem. What if you can reverse engineer the bug being fixed by following the public commit list.
hypespud@reddit
Seems like a question for the linux media coverage the maintainers, but I don't know
I would rather know about it and this is the best way to inform people as far as I can tell
The good thing it is all open source and I guess anyone contributing can also run their own AI or LLM models to scan the code for potential security flaws too
vohltere@reddit
if you don't need ptrace:
mrsockburgler@reddit
lol when you don’t need ptrace except for SentinelOne.
CrazyKilla15@reddit
Mitigation from Qualys on oss-security
https://www.openwall.com/lists/oss-security/2026/05/15/8
mooky1977@reddit
I can only imagine the number of ai found bugs against ms windows that aren't being disclosed and actively exploited
desleuth007@reddit
one piece of it is that MS code isn’t really publicly available so it’s probably a bit harder for AI to discover these types of bugs. It hurts to say it but slight W for Windows…?
Pantsman0@reddit
The disclosure process is exactly the same for Linux and for windows, I haven't read the article yet, but just using mythos as an example- anthropic have run it against open source projects, but they have also provided it to large vendors like Microsoft who then run it on their own codebase. This gets them access to the so-called best-in-class tools, but they aren't fixing the bugs in the open so they won't disclose any discovered or fixed vulnerabilities that they aren't required to
agmatine@reddit
Like BlueHammer? lol
mooky1977@reddit
I'd rather there be disclosure & transparency. MS just patching without transparency leads leads to people not patching their operating system with urgency.
VexingRaven@reddit
Why would you assume that's something that would only affect Windows?
mooky1977@reddit
That's not what I said.
Dismal-Warthog670@reddit
I'm sure throwing this amount of compute on random stuff will not cause any harm to the environment whatsoever...
7lhz9x6k8emmd7c8@reddit
Computers consume nothing compared to humans growing other animals to eat a little part of them.
LAwLzaWU1A@reddit
Last time I checked (about half a year ago) it was estimated that all the data centers in the entire world (not just AI) used about 1,5% of our total electricity, which turned out to be somewhere around 0,5% of our total emissions.
In other words, even if we shut down every single data center in the entire world (including but not limited to AI ones) we would only cut down our emissions by about 0,5%.
In the grand scheme of things, the environmental damage done by AI is a rounding error, and I think this is a really good use of those resources. Finding vulnerabilities and patching them so that software becomes better.
ChronicallySilly@reddit
I mean... this is just about the best possible usecase for all that AI compute. I'd rather this than AI slop art anyways
Dismal-Warthog670@reddit
You don't get to choose. You get both.
Obvious-Hunt19@reddit
It’s like the dotcoms. They sucked too but we kept the pieces
wandering_melissa@reddit
rate limiting is a thing AI companies are struggling with compute resources. So if they didnt use AI to find these vulnerabilities there would be 100 more AI fArt slop on the internet. So yeah you get to choose the ratio.
blueblocker2000@reddit
Is this a shadow Op by Microsoft to beat back the glacial migration of gamers to Linux? 😆
McGuirk808@reddit
This is a good thing, honestly. These were hard enough to find that humans didn't notice them for years even with hundreds or thousands of eyes on these blocks of code. And once they're patched, that hole is gone. This is wonderful hardening of the kernel.
Closed-source systems do not get this level of scrutiny. I'm sure MS and Apple are both using AI to check for vulnerabilities as well, but having your code out in the open with highly-motivated third-party security groups seeking clout being able to take a swing at it is a very different animal.
lutiana@reddit
I mean, there has been around 46,333 since Jan 1, and we are not even half way through the year.
wuphonsreach@reddit
Misconception.
https://blog.ar-lacroix.fr/posts/2026-01-why-do-cve-numbers-start-with-high-numbers-early/
Affectionate-Egg7566@reddit
What is it normally?
lutiana@reddit
No idea, but the number at the end of the CVE number starts at 1 each year and is simple incremented when the next one is issued.
VexingRaven@reddit
Crazy how many people are talking about Windows in a thread about a Linux vulnerability in a Linux subreddit. Microsoft really lives rent-free in some people's heads.
Misicks0349@reddit
it is kind of sad, like yeah a 34 year old multi-million line c-blob is going to have a lot of security issues yet people act like you've shot their dog when this is pointed out.
JotaRata@reddit
Mr president..
toolman1990@reddit
I suspect this will become more common occurrence with Linux becoming more mainstream with users getting upset with the state of Windows 11.
No-Web1897@reddit
AlmaLinux has patched them all
Mr_Lumbergh@reddit
What’s the TL;DR on this one, and if don’t have ssh enabled does it still provide an attack vector?
Dramatic_Mastodon_93@reddit
its over boys now we wait for the year of the freebsd desktop
Cl4whammer@reddit
too late, CVE-2026-4747
Dramatic_Mastodon_93@reddit
the year of the Googlebook ChromeOS/Android desktop powered by Gemini Intelligence
Dr_Jabroski@reddit
That's when the social engineering the LLM attacks start.
Realistic_Bee_5230@reddit
No it is the era of OpenBSD and seL4 lol or maybe the Xts400 would be a good choice...
tnoy@reddit
TempleOS will make it's resurrection.
Longjumping-Hair3888@reddit
I'm turning my server off for a few weeks untill this chills out.
KnowZeroX@reddit
Luckily, none of these exploits so far pose much of a security risk in themselves as long as you have trusted users on the server running trusted code. Unless of course someone take advantage of another exploit to get non-privileged access to the server somehow, and then escalate themselves using these exploits.
ACaffeinatedBear@reddit
This will be the new normal going forward, until AI goes away or linux does.
PE1NUT@reddit
Hah - our datacenter has been off since Wednesday evening due to a power outage, so I'm safe. Makes for a great weekend, knowing that there's nothing left that can generate an alert. Monday morning we start with powering everything up again (routers, switches, dns, dhcp, ldap, databases, applications), and immediately patching everything again - wish me luck!
Happy-Range3975@reddit
Just make it a local server and you’ll be fine.
Longjumping-Hair3888@reddit
It is a local server lol, i'm not really just need to setup power off cron and power on with smart plug, to save electric mainly, although maybe I could get Tasmota to ask an AI api to check CVE database and cross reference it with server software manifest 😄
Isacx123@reddit
Most have been nothingburgers that don't affect desktop users.
stemandall@reddit
No, just 98% of the servers on the Internet.
SelectionDue4287@reddit
Almost no one serious allows untrusted users the local access to internet-facing servers. Unless it's RCE it rarely really matters. It can be used to chain a few exploits, that's true. LPE was never really that hard to achieve.
we_are_mammals@reddit
Imagine the current rate of vuln discovery accelerates 10x and this lasts 10 months. How do you think the world (banking, online shopping, job market, stock market) will change?
TheCrispyChaos@reddit
Holy backdoors Batman!
WhitePeace36@reddit
i think its good that they are found
BoBoBearDev@reddit
After 20 years, Linux community has finally reading the source code extensively to do exactly what they said about everyone shall find and patch the bugs.
unixbhaskar@reddit (OP)
Please check this patch too : https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a