linux 0-day, access root-owned files as an unprivileged user
Scored daily by a customisable AI persona to surface the most relevant engineering leadership news.
Critical 0-day exploit with high technical detail and immediate actionability for patching.
A Linux 0-day, reported by Qualys and fixed by Linus on 2026-05-14, lets unprivileged users read root-owned files via a race in do_exit() where __ptrace_may_access() skips the dumpable check when task->mm is NULL, allowing pidfd_getfd(2) to steal file descriptors. Two PoCs (sshkeysign_pwn and chage_pwn) extract SSH host keys and /etc/shadow, exploiting a six-year-old FD-theft pattern flagged by Jann Horn. The bug affects all stable kernels before commit 31e62c2ebbfd, confirmed on Debian, Ubuntu, Arch, CentOS, and Raspberry Pi OS.
- Patch all stable Linux kernels to commit 31e62c2ebbfd to close the pidfd_getfd race window that allows unprivileged users to read root-owned files.
For a senior engineer managing Linux infrastructure, this vulnerability undermines file permission isolation and requires immediate patching to prevent credential theft from SSH host keys and shadow files.