Several vulnerabilities in the Linux kernel, most notably the high-severity CVE-2026-46333 (ptrace exit-race), have been patched in the latest security updates.

The most significant flaw, dubbed ssh-keysign-pwn, involves a logic error in the kernel's ptrace access-check path. This race condition allows a local unprivileged attacker to bypass security boundaries and read root-owned secrets, such as the system shadow file or SSH host private keys, achieving local privilege escalation without requiring full root access out of the gate.

In addition to the ptrace flaw, this update addresses vulnerabilities involving Bluetooth deadlocks (CVE-2026-31499), memory leaks in networking (CVE-2026-43088), and buffer overflows in the ksmbd file server (CVE-2026-43490).

Debian has deployed patched Linux kernel packages across major branches:

  • Oldstable (bookworm): Fixed in version 6.1.172-1
  • Testing (trixie): Fixed in version 6.12.88-1

Other distributions are expected to release corresponding updates shortly. System administrators are strongly advised to upgrade their packages and schedule reboots.

Sources: Debian Mailing List: https://lists.debian.org/debian-security-announce/2026/msg00214.html