Cybersecurity researchers have disclosed details of a vulnerability in the Linux kernel that remained undetected for nine years.

The vulnerability, tracked as CVE-2026–46333 (CVSS score: 5.5), is a case of improper privilege management that could permit an unprivileged local user to disclose sensitive files and execute arbitrary commands as root on default installations of several major distributions like Debian, Fedora, and Ubuntu. It’s also codenamed ssh-keysign-pwn.

According to Qualys, which discovered the flaw, the problem is rooted in the kernel’s __ptrace_may_access function and was introduced in November 2016.