A new Linux kernel vulnerability known as SSH-keysign-pwn was publicly disclosed on 14 May 2026. 

This vulnerability allows an unprivileged local user to read any files owned by root. A working exploit is already publicly available.

Risk Level: When This Vulnerability Is Dangerous

This vulnerability can only be exploited by someone who is able to run local commands on your virtual machine. This means the real‑world risk depends on how your system is exposed and who can access it.

High‑Risk Scenarios (Immediate Action Required)

Your system is at high risk if any of the following are true:

• The VM is externally accessible (SSH open to the internet, public endpoints, jump hosts, etc.).
• You have local users who are not already trusted with root privileges.

In these cases, an attacker who gains any local foothold can escalate to root instantly.

Low‑Risk Scenarios (Not Urgent, but Still Recommended)

The urgency is lower if:

• Your VM is not externally exposed,
• All users already have root access

In these situations, the vulnerability is still present, but the practical risk of exploitation is minimal because no untrusted user can execute local commands.

Interim fix

This is valid for all EWC supported OSes: Rocky 8, Rocky9, Ubuntu22.04, Ubuntu24.04

sudo sysctl -w kernel.yama.ptrace_scope=2

Running the command above effectively breaks unprivileged process tracing with tools such as gdb -p or strace. Those would still work as root. To disable process debug attachment completely, including for root),  you may increase the scope with:

sudo sysctl -w kernel.yama.ptrace_scope=3