🚨 Local Privilege Escalation via openssh-keysign Abuse (ssh-keysign-pwn)

WebGee

A recent write-up and PoC
https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn
demonstrates a local abuse scenario involving OpenSSH’s ssh-keysign helper binary.

In certain Linux configurations, this helper—running with elevated privileges for host-based authentication—can be leveraged in a way that may allow a local user to access root-readable files, including sensitive SSH host key material and other restricted system files.

This is not a classic memory corruption issue, but rather a privilege boundary weakness arising from the interaction between setuid helpers, SSH workflows, and kernel debugging interfaces.

🧭 Affected Systems (reported / tested / potentially impacted)

Raspberry Pi OS (Bookworm, kernel 6.12.75)
Debian 13
Ubuntu 22.04 / 24.04 / 26.04
Arch Linux
CentOS 9

Impact depends on configuration and enabled SSH features, especially host-based authentication and kernel ptrace settings.

References

Adam

Thanks for posting this @WebGee.

/usr/lib/openssh/ssh-keysign is one of the setuid binaries hidden from website containers since 12.21.5. It's also disabled by default in Ubuntu. So it's less of a risk than other recent CVEs but you still update your kernel as soon as an updated package is released by Ubuntu.