Debian: Linux Vulnerability Mitigation (ssh-keysign-pwn)

After the Linux local root privilege escalations of the last two weeks, the bug of today is ssh-keysign-pwn [CVE-2026-46333] which allows to read root-owned files as an unprivileged user.

Exploiting the vulnerability doesn’t require to load any specific modules like the bugs from the last weeks, this one needs to be fixed by rebooting the system into an updated kernel.

I’ve cherry-picked the upstream commit to fix it in trixie-fastforward-backports (linux 7 backports for trixie), confirmed that the exploits don’t work anymore, and submitted a merge request for sid.

Updates:

• linux-vulnerability-mitigation 20260515-1 contains a partial mitigation for ssh-keysign-pwn (this makes all exploits known so far to stop working, however, there’s definitely more needed), thanks to Salvatore Bonaccorso (carnil): echo 2 > /proc/sys/kernel/yama/ptrace_scope

• linux-vulnerability-mitigation is uploaded to sid - until it is available on deb.debian.org, use people.debian.org/~daniel

• linux 7.0.7-1 is uploaded to trixie-fastforward-backports as 7.0.7-1~ffwd13+u1, replacing the previously cherry-picked 7.0.4-1~ffwd13+u2 upload

• Added references to CVE-2026-46333