Notifications
Clear all
Topic starter
09/06/2026 11:50 pm
TL;DR: A Linux kernel flaw in versions prior to the upstream fix lets a local unprivileged attacker race process exit, steal privileged file descriptors, and expose SSH host keys or /etc/shadow, according to Orca Security. The issue turns local access into a trust-breaker for host identity and privileged workload boundaries.
NHIMG editorial — based on content published by Orca Security: Linux kernel vulnerability allows privileged file descriptor theft during process exit
Questions worth separating out
Q: What breaks when a Linux kernel file descriptor theft bug is present?
A: A local attacker can race process exit and duplicate file descriptors from a privileged process, which can expose SSH host keys or /etc/shadow without normal file permission checks.
Q: Why does this kind of kernel flaw matter to identity and access teams?
A: Because it compromises the host material that identity systems rely on.
Q: How do security teams reduce risk from local kernel privilege boundary bugs?
A: Patch the kernel quickly, restrict untrusted local execution, and separate high-trust systems from multi-user or CI environments where low-privilege code can run.
Practitioner guidance
- Prioritise kernel patching for exposed distributions Inventory affected Linux versions, verify whether the upstream fix or a vendor backport has landed, and move remediation ahead of routine maintenance when the host carries privileged workloads or trust material.
- Restrict local code execution on high-trust hosts Reduce shell access, limit untrusted workloads, and separate multi-user or CI environments from systems that store SSH host keys or other privileged credentials.
- Hunt for host key and shadow-file access anomalies Alert on suspicious reads of /etc/ssh/ssh_host_* and /etc/shadow, especially from helper processes or unusual local sessions, because those files signal downstream identity compromise.
What's in the full article
Orca Security's full analysis covers the operational detail this post intentionally leaves for the source:
- The vulnerable kernel path and commit-level fix reference for teams validating fleet exposure
- The public proof-of-concept workflow against ssh-keysign and the exact files it targets
- The distribution-specific systems cited as tested or potentially exposed, useful for triage
- The platform context Orca uses to prioritise vulnerable assets by reachability and workload criticality
👉 Read Orca Security's analysis of the Linux kernel file descriptor theft flaw →
Linux file descriptor theft bug: what IAM teams need to know?
Explore further
10/06/2026 2:20 am
Kernel exit-window theft is a privileged-access lifecycle failure, not a simple file permission bug. The attack works because a privileged process can outlive the assumption that its file descriptors are still protected by normal access checks. Once the process enters exit, the race collapses the boundary between privileged and unprivileged observation. Practitioners should treat kernel state transitions as part of privileged identity governance, not as a separate infrastructure problem.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to the same research.
A question worth separating out:
Q: Who is accountable when a host key or shadow file is exposed through a kernel bug?
A: Accountability is shared across platform, infrastructure, and identity owners because the failure crosses layer boundaries. Kernel patching belongs to system operations, while the downstream trust impact belongs to identity and security governance. Frameworks such as the NIST Cybersecurity Framework and zero-trust models both require that boundary.
👉 Read our full editorial: Linux kernel fd theft bug exposes SSH keys and shadow files
