TechPulseTechPulse
Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

49% Positive

Analyzed from 2713 words in the discussion.

Trending Topics

#exploit#code#https#page#kernel#cve#doesn#poc#security#byte

Discussion (93 Comments)Read Original on HackerNews

smlacyabout 2 hours ago
The fetishism of "byte count" (here, as "732 byte python script") needs to stop, especially when in a context like this where they're trying to illustrate a real failure modality.

Looking at their source code [1] it starts with this simple line:

import os as g,zlib,socket as s

And already I'm perplexed. "os as g"? but we're not aliasing "zlib as z"? Clearly this is auto-generated by some kind of minimizer? Likely because zlib is called only once, and os multiple times. As a code author/reviewer, I would never write "os as g" and I would absolutely never approve review of any code that used this.

Anyway, I could go on. :) Let's just stop fetishizing byte count

[1] https://github.com/theori-io/copy-fail-CVE-2026-31431/blob/m...

rts_cts7 minutes ago
I started to take the exploit script apart and reformat it to be something readable. At about 1041 bytes it's actually readable. The heart of it also includes an encoded zlib compressed blob that's 180 bytes long ('78daab77...'). This is decompressed (zlib.decompress(d(BLOB)) to a 160 byte ELF header.
debo_about 1 hour ago
I don't see it as fetishizing byte count. I think of it as a proxy measure for how complicated or uncomplicated the exploit might be. They could just as well have said "we can do it in 3 lines of python" or "the Shannon entropy of the script implementing the exploit is really small" and I would have interpreted it similarly.

Where do you see this "fetishizing" happening most often? It's a strange thing to counter-fetishize about.

layer833 minutes ago
> I think of it as a proxy measure for how complicated or uncomplicated the exploit might be.

From a Busy Beaver, 256-bytes compo, or Dwitter perspective, 732 bytes isn’t really that meaningful.

And the sample exploit is even optimizing the byte size by using zlib compression, which doesn’t make much sense for the purpose. It just emphasizes the byte count fetishization.

infogulch17 minutes ago
While I agree that it doesn't make much sense to use a minimizer on code the reader could understand, the code-golfed byte count of a CVE repro communicates its complexity in a certain visceral way.
tptacekabout 1 hour ago
I don't get the 732-byte thing either and while I think it's a relatively punchy and unusually informative landing page for named vulnerability there are little snags like this all over it.

But the fact that it's not a kernel-exec LPE and it's reliable across kernels and distributions is important; it's close to the maximum "exploitability" you're going to see with an LPE. Which the page does communicate effectively; it just gilds the lily.

tylerni733 minutes ago
yeah... definitely a bit of a rush to get the landing page out after a long time in the disclosure process. The folks putting this all together have been working like mad (finding the bug, disclosing, working a lot on patching, writing up POCs and verifying exploitability in different scenarios) and stayed up really late to finish up the landing page, which led to a lot of minor issues.

But the bug is real and people should patch :)

For the size: sometimes people will shove in kilobytes of offset tables or something into an exploit, so it'll fingerprint and then look up details to work. This is much smaller because it doesn't need any of that, which is important for severity. (I agree the "golf" nature is a bit of an aside, kind of like pwn2own exploits taking "10 seconds")

tensegrist21 minutes ago
llms love that though

"The honest solution: a clean 50-line cut" and so on, ad nauseam

embedding-shapeabout 2 hours ago
> I would absolutely never approve review of any code that used this.

How often do you review, and subsequently block the release, of PoCs in this sort of context? Sounds like you've faced this a lot.

I always thought code quality mattered less in those, as long as you communicate the intent.

Xirdusabout 1 hour ago
If you have a choice between posting minimized exploit code, and posting regular exploit code, posting minimized code is virtually always the wrong choice.

If you have a choice between pointing out the byte size of the exploit, and not pointing out the byte size of the exploit, pointing it out is virtually always the wrong choice.

In both cases, doing the right thing is less work. So somebody is going the extra way to ensure they are doing it wrong. If they didn't care, they'd end up doing it right by default.

nvme0n1p115 minutes ago
> as long as you communicate the intent

How does "import os as g" communicate the intent? How does hiding the payload behind zlib communicate the intent? This is the opposite: obfuscating the intent, so they can brag about 732 bytes instead of 846 bytes (or whatever it might have been).

It would have been less work for everyone involved to just release the unminified source.

opelloabout 1 hour ago
While not formally reviewing code like this, I read a lot of it for fun. When it's clear and understandable, it's more educational and enjoyable. If the PoC code can also serve as a means of communication, that seems like an extra win.
refulgentisabout 2 hours ago
It's just lazy AI* writing w/0 editing.

"Just" is doing a lot of work there, I'm so annoyed reading it.

It's like an anti-ad and they had pretty cool material to work with.

* Claude loves stacatto "Some numeric figure. Something else. Intensifier" (ex. the "exploitable for a decade." or whatever sentences)

bonziniabout 1 hour ago
Completely without editing, to the point of hallucinating a RHEL version (14.3) that doesn't exist.
tjbecker39 minutes ago
I recommend reading the technical writeup https://xint.io/blog/copy-fail-linux-distributions
ok123456about 1 hour ago
This is pretty legible compared to the 90s C rootshell.org exploits.
fragmedeabout 1 hour ago
> Anyway, I could go on.

Then go on. zlib is only used once, so "zlib as z" in exchange for using z once doesn't get you anything. Using os directly and not renaming it g saves you 2 bytes though. But in this age where AI outputs reams of code at the drop of a hat, why shouldn't we enjoy how small you can get it to pop a root shell?

https://gist.github.com/fragmede/4fb38fb822359b8f5914127c2fe...

edit: If we drop offset_src=0 and just pass in 0 positionally, it comes down to 720.

Banditoz22 minutes ago
>...why shouldn't we enjoy how small you can get it to pop a root shell?

Because I want to know what the exploit is doing and how it works, and if it's even safe to run.

A privesc PoC is NOT the place for this kind of fun.

akdev1l19 minutes ago
Agreed lmao the PoC itself looks like you’re getting attacked

Which I guess is true but I would like to verify the attack is the intended one

john_strinlaiabout 2 hours ago
>As a code author/reviewer, I would never write "os as g" and I would absolutely never approve review of any code that used this.

lucky for them, its an exploit script, not enterprise code.

all that needs to be "reviewed" is whether or not it exploits the thing its supposed to.

edit: yall really think a 10-line proof of concept script needs to undergo a code review? wild. i shouldnt be surprised that the top comment on a cool LPE exploit is complaining about variable naming

StableAlkyne27 minutes ago
It's just sloppy. Readers are human, and little mistakes like this take away from the article. Then you add a nonexistent RHEL version, and it just isn't a good look. Which is a shame, because it's otherwise a very interesting vuln.

Maybe you didn't care, but the length of this comment chain clearly shows that it matters. Effective communication is just as important as the engineering.

john_strinlai20 minutes ago
agreed regarding the RHEL version!

i just dont understand huffing and puffing over "os as g" in a 10-line poc script, and saying "well i would never approve this". its not enterprise code. its not code that will ever be used anywhere else, for anything. its sole purpose is to prove that the exploit is real, which it does!

the rest of the information is in the actual vulnerability report. the poc is a courtesy to the reportee, so that they can confirm that the report itself isnt bullshit.

evidently, given the downvotes i am getting, people think exploit scripts should be enterprise quality code. ¯\_(ツ)_/¯ half of the reports i see flowing through mailing lists dont even have a poc.

amazingly HN-like to be upset about a variable name

Xirdusabout 1 hour ago
I'd imagine that at minimum, the team in charge of patching the vulnerability would need to review how the exploit works.
john_strinlaiabout 1 hour ago
id imagine that they received more than just the poc in the report they received
xeeeeeeeeeeenuabout 2 hours ago
It seems there was some kind of confusion during the disclosure process, because the vendors aren't treating this vulnerability as serious and it remains unpatched in many distros.

https://access.redhat.com/security/cve/cve-2026-31431 "Moderate severity", "Fix deferred"

https://security-tracker.debian.org/tracker/CVE-2026-31431

https://ubuntu.com/security/CVE-2026-31431

https://www.suse.com/security/cve/CVE-2026-31431.html

MarleTangibleabout 1 hour ago
Seems like distros consider it a medium risk because it doesn't involve remote code execution and requires local access. Though it allows local root privilege escalation which is considered high priority.

https://ubuntu.com/security/cves/about#priority

> Medium: A significant problem, typically exploitable for many users. Includes network daemon denial of service, cross-site scripting, and gaining user privileges.

oskarkkabout 1 hour ago
Strange that it's not classified as "high", which specifically includes "local root privilege escalations".

> High: A significant problem, typically exploitable for nearly all users in a default installation of Ubuntu. Includes serious remote denial of service, local root privilege escalations, local data theft, and data loss.

Tuna-Fishabout 1 hour ago
Yeah, by ubuntu's own guidelines linked on that page, this should be priority: high, but instead it's marked as medium.
jzbabout 2 hours ago
This is amazing. Page says it works on RHEL 14.3, which doesn’t exist. Current RHEL is 10.x, this must’ve been done in a TARDIS.
rdtscabout 2 hours ago
> This is amazing. Page says it works on RHEL 14.3, which doesn’t exist. Current RHEL is 10.x, this must’ve been done in a TARDIS.

Indeed. "Distributions we directly verified: RHEL 14.3". Directly verified by me to be AI slop (the release page at least).

https://access.redhat.com/articles/red-hat-enterprise-linux-...

phreackabout 2 hours ago
The page itself seems vibecoded and a bit of an advertisement, but it does look like the vulnerability is real and high risk. It does explain the big security update I just got, guess I'll prioritize updating today.
embedding-shapeabout 2 hours ago
For mitigation, the page currently basically just says:

> Update your distribution's kernel package to one that includes mainline commit a664bf3d603d

But it isn't very clear to me what Kernel version you can expect that to be in. For Arch/CachyOS, the patch seems to be included in 6.18.22+, 6.19.12+ and 7.0+. If you're on any of the lower versions in the same upstream stable series, you're likely vulnerable right now. Some distro kernels may include the fix in other versions, so check for your distribution.

kroabout 2 hours ago
Major os vendors will publish pages with the fixed versions:

https://security-tracker.debian.org/tracker/CVE-2026-31431

https://ubuntu.com/security/CVE-2026-31431

Also, disabling algif_aead is suggested as mitigation

1p09gj20g8habout 2 hours ago
Where are you seeing the disabling algif_aead mitigation?
oskarkkabout 2 hours ago
In TFA: https://copy.fail/#mitigation

> Before you can patch: disable the algif_aead module.

> echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf

> rmmod algif_aead 2>/dev/null || true

Edit: and I can confirm that on my system with kernel 6.19.8 the above fixes the exploit.

bblbabout 2 hours ago
What is "RHEL 14.3"? Was this site a one shot prompt. Quality.
not_your_vaseabout 3 hours ago
Is there a readable version of the exploit readily available by any chance? Gotta admit that I failed binary-zip-interpretation-with-naked-eye class twice
progvalabout 3 hours ago
The binary "zip" isn't the exploit, it's the shellcode. The exploit is the rest, which changes the code of a SUID executable (su).
layer8about 2 hours ago
Debian page: https://security-tracker.debian.org/tracker/CVE-2026-31431
dgellowabout 2 hours ago
That’s the most AI-written page ever made
rany_about 2 hours ago
Could this be used to root Android devices? Does Android ship with algif_aead?
zb3about 2 hours ago
Android is smarter than setuid + system partitions aren't writable.
firerabout 2 hours ago
System partitions being non-writable has nothing to do with the vulnerability - it allows modifying the cache of any file that you can open for reading.

Not using setuid anywhere means you'd have to build a slightly more clever exploit, but it's still trivial - just modify some binary you know will run as root "soon".

But... I didn't check, but IIRC the untrusted_app secontext that apps run in is not allowed to open AF_ALG sockets - so you can't directly trigger the vulnerability as a malicious app. Although it might be possible in some roundabout way (requesting some more privileged crypto service to do so).

int0x29about 2 hours ago
Edit: Ignore this I overlooked calling order. It is indeed blocked

~~My allegedly fully patched pixel 8 pro allowed an AF_ALG socket to open under termux without virtualization so I'm not sure the last but is true~~

zb3about 1 hour ago
Ah, I blindly assumed such memory would be mapped readonly...
int0x29about 2 hours ago
Its not writing to the partition though is it? It is polluting the cache page via a write with a buffer overrun in the kernel. I don't think buffer overruns follow permissions.
zb3about 1 hour ago
I assumed such memory would be mapped readonly (PROT_READ), without actually looking into it..
Lorinabout 3 hours ago
What is the rationale behind naming CVEs and individual domains? Marketing?
eddythompson80about 2 hours ago
Giving catchy names for bad exploits has been a thing for a while. Probably to make sure it's easy to reference and make sure you're patches as opposed to passing numbers around. Heartbleed, Shellshock, BEAST, Goto Fail, etc
diathabout 2 hours ago
It's an advertisement for their tool that found the exploit: https://copy.fail/#contact, https://xint.io/products/xint-code
evanjrowleyabout 3 hours ago
The AI generated prose screams marketing. Marketing is why there's a "Contact our Security Team" form at the bottom of the page.
john_strinlaiabout 3 hours ago
can you remember what CVE-2021-44228 is without looking it up? CVE-2014-6271? CVE-2017-5753?

i bet if i told you their names, you would instantly know what vulns those are.

its easier to talk about things with names. it hurts no one. it takes approximately no effort or time.

CVEs are, for whatever reason, like the only thing on the planet that people seem to have a problem with when they receive a name. i am not sure why.

dgellowabout 2 hours ago
Yes, originally it was to help spread awareness. Now it has become more of a gimmick I would say
skilledabout 3 hours ago
Probably to some extent it is marketing, but generally it has to do with significant bug finds to get the message out to the people who need to apply patches and/or be informed. Heartbleed, Log4Shell, etc.

Very few CVE’s get names dedicated to them like this, because usually when they do - it is very serious, as in this case.

ronsorabout 3 hours ago
It makes sure people don't forget about the vulnerabilities, at least
Fuzzbitabout 3 hours ago
Same reason they name storms, numbers scare normies
Advertisement
skilledabout 3 hours ago
This looks like an extraordinary find at first glance.

Does this mean you can go from a basic web shell from a shared hosting account to root? I can see how that could wreak havoc really quickly.

barbegalabout 2 hours ago
Yes I would imagine lots of those type of services would be vulnerable if they hadn't updated to the latest kernel versions.
stackghostabout 2 hours ago
As of this comment, Debian Stable ("Trixie", though I hate codenames) doesn't have a fix in place and remains vulnerable, or at least their CVE tracker shows it as such:

https://security-tracker.debian.org/tracker/CVE-2026-31431

progvalabout 2 hours ago
So this replaces a SUID binary, in order to run as PID 0. The website claims it can escape "Kubernetes / container clusters" and "CI runners & build farms" but I don't see anything supporting the claim it can escape a container (or specifically, a user namespace).

I ran the exploit in rootless Podman, and predictably it doesn't escape the container.

They also claim their script "roots every Linux distribution shipped since 2017.", but only tested four; and it doesn't work on Alpine

john_strinlaiabout 2 hours ago
>The website claims it can escape "Kubernetes / container clusters" and "CI runners & build farms" but I don't see anything supporting the claim it can escape a container

they state that the write-up is forthcoming. presumably there is some additional steps or modifications that will be detailed in the 'part 2'.

"Next: "From Pod to Host," how Copy Fail escapes every major cloud Kubernetes platform."

tjbecker35 minutes ago
This is correct. The container escape exploit and writeup is not yet released.
layer8about 2 hours ago
The 2017 claim is based on the vulnerability having been introduced in this commit in the second half of 2017: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/lin...

The details will depend on whether the kernel is a newer release or a maintenance version of an older release.

amusingimpala75about 2 hours ago
Their PoC does as you say, but is built upon arbitrary modification of the page cache, which could be abused for the other things
progvalabout 2 hours ago
Ah indeed, it can be used to overwrite the page cache for files on read-only volumes.
microtherionabout 1 hour ago
It also doesn't work on Raspberry Pi, though presumably it could easily be made to; it does replace the su binary, but the replacement is not executable.
unsnap_bicepsabout 1 hour ago
It's patching the binary in memory, so the binary patch would be architecture dependent. The existing one is only x86_64, but with an updated payload, it would work on arm.
rcxdudeabout 2 hours ago
If you can get to real UID 0 from a rootless container, you can escape it, but you do need to take extra steps. Same with it working on Alpine: the underlying vulnerability probably still exists, but the script might need some adjusting. It's a PoC, not a full exploit for every situation.
embedding-shapeabout 2 hours ago
Did you try it on systems that don't have the patch already? Seems many distributions already shipped kernels with the patch ~a month ago.
progvalabout 2 hours ago
Yes. Alpine in rootless Podman doesn't work (after replacing "/usr/bin/su" with "/bin/su" in the .py, running the .py just doesn't do anything) while it does in Debian in rootless Podman on the same host.
corvadabout 3 hours ago
If this is verified, this is a very big deal. Root access on any shared computer. Additionally do we know what kernel versions and stable versions have the patch?
krunckabout 1 hour ago
Wow. I tried it on an old testing VM of Ubuntu 24.04 that had not been touched for a few months. Instant root with the bonus that any user that runs "su" gets root too. I updated the VM thinking it would be fixed afterward. Nope.
akdev1l32 minutes ago
You’d have to reinstall the su binary itself I guess
cyberpunk7 minutes ago
It just changes the page cache for the su binary, a reboot will revert it.
chasilabout 2 hours ago
On the downside, I need to push new kernels to all my servers.

On this bright side, does this mean Magisk is coming to all unpatched Android phones?

akdev1l33 minutes ago
No, Android doesn’t have suid binaries to exploit like in the PoC
w2seraphabout 2 hours ago
holy smokes it just rooted my just installed from ISO Ubuntu server
porridgeraisinabout 2 hours ago
Better explanation of the write up (still from original exploit author) : https://xint.io/blog/copy-fail-linux-distributions
TehCorwizabout 2 hours ago
It does not behave as described on EndeavorOS (arch-based) running kernel 6.19.14-arch1-1. I receive the error:

Password: su: Authentication token manipulation error

I'm guessing this means it's already patched?

john_strinlaiabout 2 hours ago
yes, it was reported on march 23rd, patches on april 1.

you are reading about it now because it has been patched.

marshrayabout 2 hours ago
No it hasn't.

Ubuntu before 26.04 LTS (released a week ago) are currently listed as vulnerable.

Debian other than forky and sid are currently listed as vulnerable.

This is a disgrace.

john_strinlaiabout 2 hours ago
Disclosure timeline

    2026-03-23Reported to Linux kernel security team
    2026-03-24Initial acknowledgment
    2026-03-25Patches proposed and reviewed
    2026-04-01Patch committed to mainline
    2026-04-22CVE-2026-31431 assigned
    2026-04-29Public disclosure (https://copy.fail/)
kernel 6.19.14-arch1-1, the kernel in question from the parent comment, has been patched.
dimastopelabout 2 hours ago
same result on my arch machine as well.
Ekarosabout 3 hours ago
So this could be usable in lot of places with Python and Linux running? Not that I have too many Linux devices around. Still, might be handy sometimes on personal devices.
kroabout 2 hours ago
This can likely be shipped as binary code without dependencies like python, as the bug is in the kernel.
dist-epochabout 1 hour ago
> Will you release the full PoC?

> Yes — it's on this page. We held it for a month while distros prepared patches; the major builds are out as of this writing.

There is no update available for Ubuntu 24, PoC works and just tried updating.

Advertisement
themafiaabout 2 hours ago
> If your kernel was built between 2017 and the patch

This is why I compile my own kernel. I disable things I don't use. If it's not present it can't hurt you.

> block AF_ALG socket creation via seccomp regardless of patch state.

Likewise I use seccomp to only allow syscalls that are necessary. Everything else is disabled. In the programs I have that need to connect to a backend socket, that is done, and then socket creation is disabled.

DetroitThrowabout 2 hours ago
Despite the copy/images being weird about RHEL 14.3, this seems to work. Wow?
charcircuitabout 2 hours ago
SUID binaries once again assisted a local privilege escalation attack. This is a major problem that distros can't keep ignoring.
baggy_troughabout 3 hours ago
Is this fixed in any stable release kernel yet?
Wingyabout 2 hours ago
7.0-rc1 has a tag with it:

    % git describe a664bf3d603d
    v7.0-rc1-10-ga664bf3d603d
I suspect this means the stable 7.0 has it too.
maxtacoabout 2 hours ago
Does not seem like a good idea to run arbitrary code on your machine, please consider not running this script. It seems to be attempting to make permanent changes to your system binaries. I'm not saying the exploit isn't legit, I'm just saying, use extreme caution!!
charcircuitabout 2 hours ago
The page explicitly describes that it stealthy as it does not make permanent changes, only corrupting the binary in memory.