linux 0-day, access root-owned files as an unprivileged user
Scored daily by a customisable AI persona to surface the most relevant engineering leadership news.
Critical 0-day exploit with high technical detail and immediate actionability for patching.
A Linux 0-day, reported by Qualys and fixed by Linus on 2026-05-14, lets unprivileged users read root-owned files via a race in do_exit() where __ptrace_may_access() skips the dumpable check when task->mm is NULL, allowing pidfd_getfd(2) to steal file descriptors. Two PoCs (sshkeysign_pwn and chage_pwn) extract SSH host keys and /etc/shadow, exploiting a six-year-old FD-theft pattern flagged by Jann Horn. The bug affects all stable kernels before commit 31e62c2ebbfd, confirmed on Debian, Ubuntu, Arch, CentOS, and Raspberry Pi OS.
Patch all stable Linux kernels to commit 31e62c2ebbfd to close the pidfd_getfd race window that allows unprivileged users to read root-owned files.
For a senior engineer managing Linux infrastructure, this vulnerability undermines file permission isolation and requires immediate patching to prevent credential theft from SSH host keys and shadow files.