Overview
- Security researchers at Qualys found a logic bug in the kernel function __ptrace_may_access that, when combined with the pidfd_getfd syscall, lets an unprivileged local process capture open file descriptors from privileged processes.
- Qualys built four working exploits that demonstrate real harms: one can read /etc/shadow, another can exfiltrate SSH host private keys, and two can run arbitrary commands as root by hijacking setuid programs or system daemons.
- The vulnerable code has been in mainline Linux since November 2016, exposing many default installs of major distributions and shared hosts for roughly nine years.
- A public kernel commit and independent proof-of-concept exploits appeared shortly after the fix was landed, and multiple distributions have released patched kernels that administrators should apply immediately.
- If patching cannot occur at once, raise kernel.yama.ptrace_scope to 2 to block the exploit path and treat SSH host keys and locally cached credentials on exposed hosts as compromised and rotate them.