Uncategorized

Linux kernel flaw opens root-only files to unprivileged users

1966woodenghost May 19, 2026 0

Security

Plus ModuleJail, a radical proposal for minimizing the impact of similar bugs

Another Linux kernel flaw has handed local unprivileged users a way to peek at files they should never be able to read, including root-only secrets such as SSH keys. The bug affects multiple LTS kernel lines from 5.10 upward, although a fix has already landed – and there is now a proposal for reducing the odds of similar surprises in future.

What FOSS analytics vendor Metabase memorably dubbed the strip-mining era of open source security continues. This time, the culprit is CVE-2026-46333, a local kernel vulnerability that lets an unprivileged user read files they should not be able to access, including those normally available only to root. An attacker who already has login access to an affected machine could therefore potentially grab SSH keys, password files, or other confidential credentials, as the KnightLi
blog explains.

Despite its official designation, a demo
exploit on GitHub calls it ssh-keysign-pwn. It is not quite as catchy a name as Copy
Fail, or Dirty
Frag, or indeed Fragnesia,
but we feel it is safe to say it hasn’t been a good month.

According to a report
on Linux Stans, it affected LTS kernel versions 5.10, 5.15, 6.1, 6.6,
6.12, 6.18 and 7.0. The good news is that it’s already been fixed: Linus
himself, in commit 31e62c2, called the fix “ptrace: slightly saner ‘get_dumpable()’ logic.”

The issue was reported
on the oss-security list on Friday by security consultancy Qualys,
as noted
on X by grsecurity’s Brad Spengler. In the same thread, Altan Baig
pointed
out that the underlying issue was reported
by Jann Horn on the Linux Kernel Mailing List way back in 2020. The problem with tracking security reports, which Penguin
Emperor Torvalds described recently, is not new, alas.

ModuleJail

This also seems like a good time to look at what we thought was an
interesting new defensive measure, Jasper Nuyens’ ModuleJail. The top line of the README summarizes it:

A single POSIX shell script that shrinks a Linux host’s kernel-module attack surface by writing a modprobe.d blacklist for every kernel module not currently in use, minus a built-in baseline and an optional sysadmin whitelist. No daemons, no initramfs changes, no AI inside the tool. One script, one run, one blacklist file.

The mention of “no AI inside the tool” is arguably something of a
giveaway, and you can see a CLAUDE.md file in the repo.

Even so, how it works is simple enough. Although Linux has a monolithic kernel, it is modular. When the kernel’s source code is
compiled, the person or tool building it can choose if each individual
component is included (built into the binary), not included at all, or
compiled as a module, which can be loaded on the fly as and when it’s
needed. Since the kernel is mostly device drivers, it’s normal for
distribution vendors to compile most non-essential components as kernel modules –
as the Arch
wiki explains. Blacklisting
a module just means adding its name to a list of modules not to
load.

Blacklisting unused modules for added security isn’t a new idea. It’s
in the RHEL
6 documentation, for instance, and a DoHost
blog post from last year describes it as a security measure.

ModuleJail simply automates the process. It blacklists any modules not currently in use. Probably safe for a server,
but rather less ideal for a laptop or machine where you need to plug in
new hardware on the fly. Connecting a USB headset, say, is quite different from plugging one into a headphone socket. While a device with a jack plug
uses your existing sound controller, by connecting a USB one, you’re
effectively adding a new sound controller – just one that happens to be
connected over USB.

ModuleJail mentions that its approach avoids changing the
initramfs. An initramfs, like an initrd, is a file containing a temporary RAM disk, so that a generic kernel can find and load the drivers it needs for the particular box it’s running on – even
before it can find the machine’s SSD and mount the root partition.

Back in the 1990s, as grumpy old graybeards such as this vulture
recall, recompiling your kernel was a standard part of periodic system
maintenance. One benefit of building the kernel customized for your own
computer was eliminating the need for an initramfs. If all
the drivers are built in, there’s no need for this temporary stage,
although as the ArchWiki notes, this does
limit some advanced features, which, for instance, systemd uses.

We would love to see some of the systemd-free distros incorporate such automatic ModuleJail-style identification of essential
modules, and use it to build a custom kernel on the fly, then banish
the use of initramfs. (Maybe just keep the
all-options-enabled installation kernel around as an emergency
fallback.) Aside from a few special cases such as OpenZFS, this should
work on most hardware – and make life simpler, quicker, and perhaps
slightly more secure. ®

Source: www.theregister.com…

Related Articles
We will be happy to hear your thoughts

Leave a reply

About Forlifedeals

Forlifedeals is a comprehensive source of independent reviews of the most recent SaaS (Software as a Service) tools and platforms. It is a great resource for businesses, marketers, and agencies, providing expert assessment of software solutions in various categories such as productivity, marketing, sales, and others.

🚀 Get First Access to SaaS Deals – Subscribe Now!

FOR LIFE DEALS
Logo
Register New Account
Compare items
  • Total (0)
Compare
0