mike@Ljomi:~/src/ssh-keysign-pwn$ ./chage_pwn
fd 6 -> /etc/shadow (round=0 try=171)
root:$y$REDACTED:19994:0:99999:7:::
daemon:*:19837:0:99999:7:::
bin:*:19837:0:99999:7:::
sys:*:19837:0:99999:7:::
sync:*:19837:0:99999:7:::
…
It’s been fixed in other distros. Proxmox had a fix available <24h from the POC release.
I should note, this is the ONLY PoC released recently (with others being Copyfail, Copyfail2 Electric Boogalo, Dirtyfrag, Fragnesia) that ACTUALLY EXECUTED AND WORKED on 26.04.
I can’t believe there’s no security page for this either:
Still 404
https://ubuntu.com/security/CVE-2026-46333
There IS a simple (potentially disruptive) mitigation which really should be mentioned there if you can’t manage to get a patched kernel out like everyone else:
sudo sysctl -w kernel.yama.ptrace_scope=3
setting kernel.yama.ptrace_scope to 2 or 3 will break strace and gdb but will also break the known exploit code.
see: https://almalinux.org/blog/2026-05-15-ssh-keysign-pwn-cve-2026-46333/
The Ubuntu CVE page now exists, so closing here.