Linux kernel fd theft bug exposes SSH keys and shadow files

At a glance

What this is: This is an analysis of a Linux kernel file descriptor theft vulnerability that can expose privileged files, with SSH host keys and /etc/shadow called out as the highest-impact targets.

Why it matters: It matters because local kernel-level privilege boundary failures can undermine workload identity, host trust, and downstream access controls in shared servers, developer systems, and cloud workloads.

👉 Read Orca Security's analysis of the Linux kernel file descriptor theft flaw

Context

A Linux kernel file descriptor theft flaw is a local privilege boundary problem, not a remote exploit. The weakness appears when exit handling and ptrace access checks interact badly, allowing an attacker with local code execution to duplicate file descriptors from a privileged process before the process fully closes them.

For IAM and security teams, the important issue is not only patching the kernel. The incident shows how privileged helper processes, host trust material, and sensitive authentication data can be exposed by a narrow race condition that sits below ordinary identity controls.

When SSH host private keys or /etc/shadow are exposed, the blast radius extends beyond the affected host. Host impersonation, offline password cracking, and privilege escalation can follow, which makes kernel hygiene part of identity governance for high-value Linux estates.

Key questions

Q: What breaks when a Linux kernel file descriptor theft bug is present?

A: A local attacker can race process exit and duplicate file descriptors from a privileged process, which can expose SSH host keys or /etc/shadow without normal file permission checks. That breaks the assumption that sensitive handles remain protected until close, and it can turn low-privilege local access into host impersonation or offline credential attack paths.

Q: Why does this kind of kernel flaw matter to identity and access teams?

A: Because it compromises the host material that identity systems rely on. SSH host keys support trust relationships, and shadow-file exposure can support offline credential cracking. When those assets leak, the issue is not only infrastructure hardening. It becomes an identity confidence problem that can affect privileged access across Linux estates.

Q: How do security teams reduce risk from local kernel privilege boundary bugs?

A: Patch the kernel quickly, restrict untrusted local execution, and separate high-trust systems from multi-user or CI environments where low-privilege code can run. Then monitor for access to sensitive host files and review helper processes that hold privileged descriptors during teardown or privilege drop.

Q: Who is accountable when a host key or shadow file is exposed through a kernel bug?

A: Accountability is shared across platform, infrastructure, and identity owners because the failure crosses layer boundaries. Kernel patching belongs to system operations, while the downstream trust impact belongs to identity and security governance. Frameworks such as the NIST Cybersecurity Framework and zero-trust models both require that boundary.

Technical breakdown

Ptrace access control and the exit-window race

The flaw sits in __ptrace_may_access(), where dumpability checks could be skipped if a target task no longer had an mm pointer. During process exit, a task can lose its memory descriptor before it closes open file descriptors, creating a narrow race window. An attacker who can trigger pidfd_getfd() at that moment may duplicate file descriptors from a privileged process. The core issue is not classic memory corruption. It is a state-transition bug where access control evaluates the wrong process condition at the wrong time.

Practical implication: patch the kernel promptly and reduce local execution paths that can reach privileged helper processes.

Why SSH host keys and /etc/shadow are exposed

Privileged processes often open sensitive files before dropping privileges or exiting. If an attacker steals those file descriptors, they do not need to break the file permission model in the normal way. SSH host private keys can be used to impersonate a system to clients, while /etc/shadow can support offline password cracking if the attacker obtains readable content. This is why the impact extends from local compromise to broader trust and authentication risk across the environment.

Practical implication: monitor for access to host key files and shadow data, and treat their exposure as an identity event, not only a filesystem event.

Why local code execution makes this a high-risk kernel issue

This vulnerability is not remotely exploitable on its own, but local code execution is common enough on multi-user hosts, CI runners, developer workstations, and cloud workloads to make the risk material. Once a low-privilege actor is on the box, the kernel flaw can become a shortcut to privileged secrets that were never meant to be user-readable. The operational lesson is that host-level trust assumptions must be validated alongside application and identity controls.

Practical implication: combine kernel patching with workload isolation, shell access restriction, and exposure-based asset prioritisation.

Threat narrative

Attacker objective: The attacker wants privileged file material that lets them impersonate hosts, crack credentials offline, and expand control beyond the initial local foothold.

1. Entry begins with local code execution on an affected Linux host, which gives the attacker a foothold close enough to race the vulnerable kernel path.
2. Escalation occurs when the attacker abuses pidfd_getfd() during process exit to steal file descriptors from a privileged process before the dumpability check fully applies.
3. Impact follows when stolen descriptors reveal SSH host private keys or /etc/shadow, enabling host impersonation, offline password cracking, and further privilege escalation.

Breaches seen in the wild

• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
• JetBrains GitHub plugin token exposure — CVE-2024-37051 in JetBrains IntelliJ GitHub plugin exposed GitHub access tokens.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Kernel exit-window theft is a privileged-access lifecycle failure, not a simple file permission bug. The attack works because a privileged process can outlive the assumption that its file descriptors are still protected by normal access checks. Once the process enters exit, the race collapses the boundary between privileged and unprivileged observation. Practitioners should treat kernel state transitions as part of privileged identity governance, not as a separate infrastructure problem.

SSH host key exposure creates an identity trust failure that reaches beyond the local host. A stolen host key can undermine SSH-based trust relationships even when the original application account remains unchanged. That means the breach affects authentication confidence, not just data confidentiality. The practical conclusion is that host identity material belongs in the same risk conversation as secrets and workload credentials.

/etc/shadow exposure shows how local kernel bugs can turn into offline credential compromise. The file is not valuable because it sits on disk, but because it can be used outside the live system to attack passwords at leisure. That makes the incident a reminder that privileged file leakage can create delayed but durable identity risk. Security teams should view shadow-file access as a downstream compromise indicator, not a normal administrative event.

Privileged helper processes need tighter trust boundaries because they often open sensitive files before dropping privilege. That design pattern is common in Linux ecosystems and it expands the damage of any descriptor theft race. The failure mode is persistent privileged material existing long enough to be stolen during teardown. Practitioners should map which helpers still carry sensitive handles across exit paths and validate those assumptions during hardening.

Identity security for Linux estates depends on controlling the host-level primitives that identities rely on. This vulnerability proves that access governance can fail below the application layer when kernels expose secrets that underpin trust, authentication, and privilege escalation. The broader field implication is that NHI and host identity controls are incomplete without kernel and workload boundary assurance.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to the same research.
• For the broader control picture, The 52 NHI breaches Report shows how exposed credentials and privileged access failures repeatedly turn into real-world identity compromise.

What this signals

Privileged host material should be treated as identity infrastructure, not just operating-system data. When SSH keys and shadow files can be exposed by a kernel race, the security programme needs to connect endpoint hardening, workload isolation, and identity governance in one control view. A common mistake is to separate platform patching from credential risk, even though the breach path links them directly.

Host trust becomes a measurable exposure class when local code execution is realistic. Multi-user servers, developer workstations, and CI runners often carry more latent privilege than teams assume. The practical signal is to move from version-based hygiene to exposure-based prioritisation, especially for systems that hold reusable trust material or sensitive helper processes.

Kernel-level leakage creates a delayed compromise pattern that standard access reviews will miss. Once private keys or password hashes leave the live system, the attack may continue offline long after the original local foothold is gone. That makes containment, telemetry, and asset segmentation part of identity resilience, not only systems administration.

For practitioners

• Prioritise kernel patching for exposed distributions Inventory affected Linux versions, verify whether the upstream fix or a vendor backport has landed, and move remediation ahead of routine maintenance when the host carries privileged workloads or trust material.
• Restrict local code execution on high-trust hosts Reduce shell access, limit untrusted workloads, and separate multi-user or CI environments from systems that store SSH host keys or other privileged credentials.
• Hunt for host key and shadow-file access anomalies Alert on suspicious reads of /etc/ssh/ssh_host_* and /etc/shadow, especially from helper processes or unusual local sessions, because those files signal downstream identity compromise.
• Treat privileged helper teardown as a control point Review binaries that open sensitive files before privilege drop or process exit, and test whether their file descriptors remain reachable during teardown under stress conditions.
• Use exposure-based asset prioritisation Rank remediation by internet exposure, workload criticality, and whether the affected system can be reached by low-privilege users or untrusted code, not by kernel version alone.

Key takeaways

• This kernel flaw works because a short process-exit race lets a local attacker steal privileged file descriptors that should have remained protected.
• The impact is identity-relevant, with SSH host keys and /etc/shadow creating host impersonation and offline credential risk.
• Patching the kernel is necessary, but limiting local execution and monitoring privileged file access are what reduce the blast radius.

Key terms

• File Descriptor Theft: A technique where an attacker obtains a live handle to a file or socket instead of reading the file directly. In this context, the concern is privileged handles that remain open long enough to be duplicated during a race, bypassing the normal permission model.
• Host Identity Material: Files and keys that let systems prove who they are, such as SSH host private keys. If these are exposed, the risk extends beyond file access because attackers can impersonate the host, weaken trust relationships, and trigger downstream authentication failures.
• Privileged Helper Process: A process that briefly runs with elevated rights to perform a task, then drops privileges or exits. These helpers are common in Linux environments, and their teardown paths matter because any sensitive file descriptors they still hold can become a theft target.
• Exit-Window Race: A timing bug that appears when a process is shutting down and security checks happen after its internal state has already changed. Attackers exploit the gap between the process losing one protection state and fully releasing sensitive resources, which creates a narrow but useful window for abuse.

Deepen your knowledge

Linux kernel file descriptor theft and host trust material exposure are covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building identity governance around privileged Linux estates, it is worth exploring.

This post draws on content published by Orca Security: Linux kernel vulnerability allows privileged file descriptor theft during process exit. Read the original.