TechPulseTechPulse
Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

20% Positive

Analyzed from 1958 words in the discussion.

Trending Topics

#linux#security#kernel#exploit#distributions#suid#reporter#disclosure#should#distros

Discussion (173 Comments)Read Original on HackerNews

xeeeeeeeeeeenu•about 4 hours ago
For context, the author of the linked post, Sam James, is a Gentoo developer.

Anyway, this is a disaster. It was extremely irresponsible to share the exploit with the world before the distributions shipped the fix. Who knows how many shared hosting providers were hacked with this.

It's also worrying that it seems there's no communication between the kernel security team and distribution maintainers. One would hope that the former would notify the latter, but apparently it's the responsibility of whoever finds the vulnerability.

zamalek•about 4 hours ago
The disclosure was more about marketing than security. From the disclosure page:

> Is your software AI-era safe?

> Copy Fail was surfaced by Xint Code about an hour of scan time against the Linux crypto/ subsystem. [...]

> [Try Xint Code]

More chaos makes their product seem even more attractive.

esseph•about 4 hours ago
Your advertising for them on HN would help them too, I bet.
jasonmp85•about 3 hours ago
Does it? Now that I see their name again in this context they're blacklisted for life.
lifis•about 3 hours ago
The Linux kernel is not usable as a security boundary, so anyone who wants to do "shared hosting" and not be hacked needs to use something else, like gVisor or firecracker VMs
shimman•about 4 hours ago
Expecting people to do the right thing is a fundamental issue here. Why would you ever expect for all of vulnerabilities to be disclosed privately? There's very little actual incentive to do this.

I'm honestly unaware of what systems could be put in place to prevent this but expecting people to always do the right thing is fantasy level thinking. I mean I bet the disclosers that they would during the right thing, hence why it's a bad thing to rely on.

dwedge•about 4 hours ago
When the exploit is an advertisement for an exploit detection company, not doing the right thing is a bad look
dgellow•about 4 hours ago
The worst thing would be to exploit or sell it for profit. Instead of that, publicizing the exploit is closer to neutral–good in my books, that did trigger a really quick reaction from the different actors to patch their kernels and systems
egonschiele•about 4 hours ago
Why don't all these distro maintainers add their own back doors, and mine crypto off our machines without our knowledge? Surely, there is some legal fine print they can add that would let them do that. There is very little incentive for them to maintain these systems, given how thankless and underpaid the work is.
skywhopper•about 4 hours ago
I think it’s reasonable to expect folks in the security community who go to the trouble of creating a website detailing security vulnerabilities in specific listed software to pre-notify the security teams of that software. The CopyFail website calls out Ubuntu and Red Hat specifically, but apparently the author of the site did not inform them of the issue?

But even if you think making unethical decisions in personal self interest is something no one should be criticized for, surely the Linux kernel team ought to have some process for notifying the top distributions of an upcoming LPE, just out of practicality.

semiquaver•about 4 hours ago
In what sense do you believe that the reporter did not notify the security team of the relevant software? The vulnerability is in the kernel. Reporter responsibly disclosed using the kernel’s security report mechanism and waited until a patch was ready.

Distros are downstream of kernel, that doesn’t entitle them to expect to be contacted directly by every security reporter. That’s not on them. Distros that are big enough should be plugged into the linux security team for notifications.

Security researchers cannot be held responsible for broken lines of communication within the org charts of projects that they study. They’re providing a valuable public service already, how much more do you want?

holowoodman•about 4 hours ago
I can accept (and welcome) disclosure before there are patches.

But publishing a working exploit together with the disclosure before patches are available is really really irresponsible, maybe even criminal.

And no, the proposed mitigations don't help with half of the distributions out there...

akerl_•about 4 hours ago
> maybe even criminal

What’s your theory here? What crime?

SoftTalker•about 4 hours ago
AIUI the exploit was fairly low-effort once you knew the vulnerability. So publishing one probably didn't change the landscape much.
wang_li•about 4 hours ago
There is an alternative mitigation you can use which blacklists the function calls when the affected code is not built as a kernel module.
semiquaver•about 4 hours ago
Patches were available for nearly a month.
baggy_trough•about 4 hours ago
Why wouldn't the linux security team notify the main linux distributions?
staticassertion•36 minutes ago
Greg and Linus do not believe in the entire concept of "vulnerabilities" in the Linux kernel and do not believe in the methods that distros use like cherry picking, therefor they typically are against issuing CVEs, scoring CVEs, describing vulnerabilities at all (if you use the word "vulnerability", your patch will be rejected), etc.

It's fundamentally their position to not work the way that you describe.

bluepuma77•about 2 hours ago
Well, how do you define main Linux distros? Isn’t the next smaller one not receiving the info always complaining?
shimman•about 1 hour ago
Because one of them might have an incentive to not do so. In this case it's because they want to advertise their own company.
bonzini•about 4 hours ago
Partly they already have enough on their plate. It's up to the reporter to pick how to handle the disclosure, and unless a specific maintainer chooses to handle it, the Linux security team clearly says they won't.

Partly they have a strong belief that all kernel bugs are vulnerabilities and all vulnerabilities are just bugs; sometimes taken to the extreme in both ways (on one hand this case where the vulnerability is almost ignored; on the other hand, I saw cases where a VM panic that could be triggered only by a misbehaving host—which could just choose to stop executing the VM—was given a CVE).

johnbarron•about 3 hours ago
>> Anyway, this is a disaster. It was extremely irresponsible to share the exploit with the world before the distributions shipped the fix.

Maybe a decade of corporations of revenue in the billions, paying peanuts and coffee money, for critical vulnerability disclosures made it....

999900000999•about 4 hours ago
Counterpoint. End users have a right to mitigate this issue on their systems.

It is a really really bad look for Linux, puts a bit of water on all hype around switching from Windows.

roxolotl•about 3 hours ago
It does? The disclosure even says the concern for single user systems is very low. If someone has access to your single user system, remote or otherwise, you’ve already lost on the sort of device people would be switching from windows to Linux on.
vhantz•about 3 hours ago
As opposed to all other operating systems with no CVEs ever?
weavejester•about 3 hours ago
Hype around switching from Windows servers?
akerl_•about 4 hours ago
Who knows how many attackers had found this vulnerability and had already been using it prior to this research finding it?
Quarrelsome•about 4 hours ago
well now everyone does, so the irresponsible disclosure makes it significantly worse.
akerl_•about 4 hours ago
It’s your opinion that it’s irresponsible and that it makes something worse.
deng•about 4 hours ago
> It was extremely irresponsible to share the exploit with the world before the distributions shipped the fix.

Yes, this was clearly a marketing stunt to promote Xint code.

I, for one, will never use Xint code and will advise everyone to never use it. To anyone working there: enjoy your 15 minutes, I hope this backfires right in your face.

semiquaver•about 4 hours ago
> Note that for Linux kernel vulnerabilities, unless the reporter chooses to bring it to the linux-distros ML, there is no heads-up to distributions.

Why would they imply it is incumbent on the reporter to liaise with distributions? That seems to assume a high level of familiarity with the linux project. Vulnerability reporters shouldn’t be responsible for directly working with every downstream consumer of the linux kernel, what’s the limiting principal there? Should the reporter also be directly talking to all device manufacturers that use Linux on their machines?

IMO reporter did more than enough by responsibly disclosing it to linux and waiting for a patch to land.

Aren’t there people in the linux project itself with authority over and responsibility for security vulnerabilities? One would think they would be the ones notifying downstream distros…

sega_sai•about 4 hours ago
The reporter took time to check and mention on their website specific distributions Ubuntu/RHEL/SUSE. One would have thought reporting to security teams of at least those would be responsible.
semiquaver•about 4 hours ago
“One” would have thought? Can you point to a written policy that says that’s how it should be?
happyopossum•about 4 hours ago
No, not can I point to a written policy that states one should cover one’s mouth when they cough.

Everyone involved here failed to do the right thing, and hiding behind the lack of written words is weak sauce.

anikom15•about 4 hours ago
The tenets of decency don’t need to be written down.
froh•about 3 hours ago
it's trivial to find out how to report a security issue like this to Linux distros.

Google search: https://share.google/aimode/eihDKXZJy94Z5lC1p

and it's beyond me to not think about doing this and instead exposing everyone and their neighbor to this exploit up front.

I'm certain this is even a felony in some legislations, rightfully so.

sparker72678•about 4 hours ago
Sure, maybe it's not a _requirement_, but now we're all in more pain because the reporters are more interested in Fame than Safe Remediation.
skywhopper•about 4 hours ago
The reporter made a website explicitly calling out Ubuntu, RedHat, Amazon, and SUSE but didn’t notify them, and you think that’s reasonable? That they might not have known those distributions are downstream from the kernel team?
whatevaa•about 2 hours ago
Stop blaming the reporter. Start asking kernel to fix their process. Linux kernel is no longer a toy project, it has full time employees employed by various companies. They should have handled notifying distributions. Not some rando.
GranPC•about 3 hours ago
Just for what it's worth, I just pushed an eBPF-based workaround for people who are running kernels in which AF_ALG is linked directly into the kernel and not as a module: https://github.com/Dabbleam/CVE-2026-31431-mitigation

I am running this in production right now and it mitigates the attack, with no unexpected side-effects as far as I can see.

KingMachiavelli•about 2 hours ago
`nosuid` and probably `nodev` should IMO be the default filesystem mount options. `/dev` is already a special devtmpfs and the initrd minimal /dev can just explicitly mount the initrd tmpfs rootfs with `dev` and `suid` if necessary.

Letting SUID binaries just "exist" anywhere is a stupendous security issue. What if you mount some external storage medium, how are you to verify that none of the SUID binaries on that block device are malicious.

Additionally, this exploit appears to only work if the user executing the SUID binary can also read the SUID binary. There's no reason for non-root users to have read on a SUID binary.

NixOS does this correctly. No SUID in the normal package installation directory `/nix/store` and no package leakage outside of that no `nosuid` can safety be used on all other mountpoints. The exception is just a single-purpose `/run/wrappers.$hash` directory that safety contains executable ONLY SUID wrappers.

xorcist•19 minutes ago
The proof of concept exploit is just that. It is meant to demonstrate one attack vector only. There are many others. If your goal is to prevent the conceptual exploit only then there are many easier ways to accomplish that, such as blacklisting, that does not make you safer.

With this vulnerability you can manipulate the page cache. You could also manipulate ld.so to hook into arbitraty system calls, or set your uid to 0, or any of another dozen or so ways to elevate your privileges.

Mount points have nothing to do with this, even if is always a good idea to disallow suid in user writable areas and prevent reading suid files, but that's for other reasons. NixOS does nothing to fix this and is just as vulnerable as everyone else.

muvlon•about 1 hour ago
While I hate suid as much as the next person, it's really not the problem here.

The bug that is being exploited gives you basically arbitrary page cache poisoning. At that point it's already game over. Patching a suid program is maybe the easiest way to get a root shell from that but far from the only.

akdev1l•about 2 hours ago
Without read permissions you cannot execute the binary, that would not make any sense.

To execute the binary it needs to be read from disk and loaded into memory.

In fact if you have read permissions but not executable permissions on a specific binary then you can still execute it by calling the linker directly /bin/ld.so.1 /path/to/binary (the linker will read and load the binary and then jump to the entry point without an exec() call)

Plagman•about 2 hours ago
loader
swinglock•about 2 hours ago
Neither was NixOS.

https://discourse.nixos.org/t/is-nixos-affected-by-copy-fail...

Denvercoder9•19 minutes ago
None of the distros were.
ectospheno•about 4 hours ago
The Bleeping Computer link below mentions a potential remedy until a patch is ready.

https://www.bleepingcomputer.com/news/security/new-linux-cop...

jayofdoom•about 4 hours ago
This workaround only applies to kernels with the impacted code compiled as a module. RHEL, Fedora, and Gentoo (we use a modified Fedora config) all are configured to build this in directly. Without a patch or config change (as Sam from Gentoo was alluding to), those distributions remain vulnerable.
jcul•about 4 hours ago
There was some discussion on the GitHub issues about workarounds to disable it, even though it is baked in.

https://github.com/theori-io/copy-fail-CVE-2026-31431/issues...

https://github.com/theori-io/copy-fail-CVE-2026-31431/issues...

pitrdevries•about 4 hours ago
This worked as a mitigation on distros with the module compiled into the kernel: https://gist.github.com/m3nu/c19269ef4fd6fa53b03eb388f77464d...

Basically: sudo grubby --update-kernel=ALL --args=initcall_blacklist=algif_aead_init

sudo reboot

holowoodman•about 4 hours ago
The potential remedy doesn't work on RedHat and derivatives because the affected code is not a module there but statically compiled in.
VladVladikoff•about 2 hours ago
Hey Xint Code / tylerni7 <https://news.ycombinator.com/threads?id=tylerni7>, maybe you should improve your disclosure process as well? Maybe make it mandatory for users of your tool?
john_strinlai•about 2 hours ago
they disclosed 30 days after the patch was merged in the thing they reported to.

its the same disclosure policy as google's project zero, and several other major players, so you should probably be trying to ping a lot more people

reporters should not be responsible for finding out and individually reporting to every downstream consumer. blame the kernel security team, who is in a much better position to coordinate notifications to individual distro security teams.

tptacek•about 1 hour ago
The security research community would run you out on a rail if you tried to take a successful research product and attach mandatory disclosure norms to it.
lrvick•about 1 hour ago
Was not disclosed to stagex, and I expect a lot of linux distros. Thankfully we were already on kernel 7.0 so not impacted
seniorThrowaway•about 3 hours ago
Ubuntu has patches out, tested before and after patching.
uberduper•about 4 hours ago
`initcall_blacklist` is a thing.
Advertisement
ChrisArchitect•about 4 hours ago
Related:

Copy Fail

https://news.ycombinator.com/item?id=47952181

JasonHEIN•about 3 hours ago
huh somehow seeing people not using ai to work is like wow moment which i cherish a lot these days