Is it really "only" specific to SSH? I thought that reading SSH private keys was just a proof-of-concept to show that the exploit allow to read any file root can read?
I gotta say: there are so man privilege escalation exploits lately that it's hard to keep track.
The exploit hammers a race condition in the cleanup of processes when they exit. You fork a new process, exec() some (hopefully SUID) program that opens a sensitive file you want to read, kill() the process before the file is closed, and then try to open the leftover fd(s) before the kernel cleans it up.
If it succeeds, it lets unprivileged users read any file that another binary had open. That means you are limited to reading whatever files you can get another binary to open.
Extra cool points if that binary is SUID which means it might read something sensitive you don't have permissions for yourself.
That's why the examples use specific known suid programs that already exist on most machines, they read something sensitive like SSH keys or /etc/shadow that a normal user wouldn't have access to, to show how serious the bug is.