TechPulseTechPulse
Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

48% Positive

Analyzed from 3675 words in the discussion.

Trending Topics

#exploit#code#kernel#https#page#cve#doesn#root#com#security

Discussion (147 Comments)Read Original on HackerNews

xeeeeeeeeeeenuabout 2 hours ago
It seems there was some kind of confusion during the disclosure process, because the vendors aren't treating this vulnerability as serious and it remains unpatched in many distros.

https://access.redhat.com/security/cve/cve-2026-31431 "Moderate severity", "Fix deferred"

https://security-tracker.debian.org/tracker/CVE-2026-31431

https://ubuntu.com/security/CVE-2026-31431

https://www.suse.com/security/cve/CVE-2026-31431.html

MarleTangibleabout 1 hour ago
Seems like distros consider it a medium risk because it doesn't involve remote code execution and requires local access. Though it allows local root privilege escalation which is considered high priority.

https://ubuntu.com/security/cves/about#priority

> Medium: A significant problem, typically exploitable for many users. Includes network daemon denial of service, cross-site scripting, and gaining user privileges.

oskarkkabout 1 hour ago
Strange that it's not classified as "high", which specifically includes "local root privilege escalations".

> High: A significant problem, typically exploitable for nearly all users in a default installation of Ubuntu. Includes serious remote denial of service, local root privilege escalations, local data theft, and data loss.

Tuna-Fishabout 1 hour ago
Yeah, by ubuntu's own guidelines linked on that page, this should be priority: high, but instead it's marked as medium.
chvish2 minutes ago
Are kernel crypto modules even loaded by default on enterprise distros
nh243 minutes ago
If you want to use the suggested mitigation (disabling kernel module `algif_aead` with a modprobe config), and you do not want to run that whole obfuscated shell code to get an actual root shell, but only check if the module can be loaded, here is a readable version of its first few lines:

    python3 -c 'import socket; s = socket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET, 0); s.bind(("aead","authencesn(hmac(sha256),cbc(aes))")); print("algif_aead probably successfully loaded, mitigation not effective; remove again with: rmmod algif_aead")'
Similarly, when the mitigation is in place,

    modprobe algif_aead
should fail with an error.
jzbabout 2 hours ago
This is amazing. Page says it works on RHEL 14.3, which doesn’t exist. Current RHEL is 10.x, this must’ve been done in a TARDIS.
oskarkkabout 1 hour ago
14.3 seems to come from some Red Hat-specific GCC version, which can be reported as "gcc (GCC) 14.3.1 20250617 (Red Hat 14.3.1-2)". See these random examples I found by googling:

https://github.com/anthropics/claude-code/issues/40741 (gcc version "Red Hat 14.3" included in system version at the bottom)

https://docs.oracle.com/en/database/oracle/tuxedo/22/otxig/s...

bryanlarsenabout 2 hours ago
On the same line it says kernel version 6.12.0-124.45.1.el10_1. Which is RHEL 10. This is the kind of typo that humans make -- the hard to type numbers are accurate because they're cut and pasted, but the "easy" numbers have errors because they're not cut and pasted.
tylerni7about 1 hour ago
ugh sorry should be fixed. There was some scrambling to get more info together to explain the issue (and yes, obviously marketing), so there are some minor mistakes. Thanks for pointing it out!
rdtscabout 2 hours ago
> This is amazing. Page says it works on RHEL 14.3, which doesn’t exist. Current RHEL is 10.x, this must’ve been done in a TARDIS.

Indeed. "Distributions we directly verified: RHEL 14.3". Directly verified by me to be AI slop (the release page at least).

https://access.redhat.com/articles/red-hat-enterprise-linux-...

> Talk to our security experts

(at the bottom of the page)

I have a sneaking suspicion his first name is Claude. Don't get me wrong though, he is pretty good I hear.

tptacekabout 2 hours ago
I have no idea about this page, but Theori/Xint has a staff of veterans, they are a serious thing.
0x029 minutes ago
Dropping a public exploit on github before distros have patches available isn't very cool, or is that just how veterans roll these days?
rdtscabout 2 hours ago
The fact that they have no idea RHEL 14, probably the most well known enterprise distro, is not a thing, and yet they "directly verified on it" casts some doubt on seriousness.
hackernudes4 minutes ago
LPE = local privilege escalation

Too many darn acronyms. This one wasn't too hard to figure out from context but I wish people would define acronyms before using them!

rkeene2about 1 hour ago
Interestingly it fails for me because my `su` isn't world-readable:

  $ stat /bin/su
    File: /bin/su
    Size: 59552           Blocks: 118        IO Block: 59904  regular file
  Device: 0,52    Inode: 796854      Links: 1
  Access: (4711/-rws--x--x)  Uid: (    0/    root)   Gid: (    0/    root)
  Access: 2023-09-18 13:23:03.117105665 -0500
  Modify: 2021-02-13 05:15:56.000000000 -0600
  Change: 2023-09-18 13:23:03.119105665 -0500
   Birth: 2023-09-18 13:23:03.117105665 -0500
I'm not sure I have any setuid/setgid binaries that are world-readable...
zerocrates10 minutes ago
It being readable is the default configuration most places, after all the purpose is to call it from a non-privileged user. But I could see it being made non-readable since its use is discouraged nowadays... though then I'd expect sudo to be readable as an alternative.
rkeene2about 1 hour ago
A workaround might be to make all setuid/setgid files non-world-readable because then they cannot be opened at all, and thus there is no setuid file to replace the contents of.
embedding-shapeabout 3 hours ago
For mitigation, the page currently basically just says:

> Update your distribution's kernel package to one that includes mainline commit a664bf3d603d

But it isn't very clear to me what Kernel version you can expect that to be in. For Arch/CachyOS, the patch seems to be included in 6.18.22+, 6.19.12+ and 7.0+. If you're on any of the lower versions in the same upstream stable series, you're likely vulnerable right now. Some distro kernels may include the fix in other versions, so check for your distribution.

kroabout 2 hours ago
Major os vendors will publish pages with the fixed versions:

https://security-tracker.debian.org/tracker/CVE-2026-31431

https://ubuntu.com/security/CVE-2026-31431

Also, disabling algif_aead is suggested as mitigation

1p09gj20g8habout 2 hours ago
Where are you seeing the disabling algif_aead mitigation?
oskarkkabout 2 hours ago
In TFA: https://copy.fail/#mitigation

> Before you can patch: disable the algif_aead module.

> echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf

> rmmod algif_aead 2>/dev/null || true

Edit: and I can confirm that on my system with kernel 6.19.8 the above fixes the exploit.

nh2about 1 hour ago
On a git repo that has as remotes

    https://github.com/torvalds/linux.git
    https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git as remotes:
running a search for commit a664bf3d603d's commit message:

    git log --all --grep 'crypto: algif_aead - Revert to operating out-of-place' '--format=%H' | xargs -I '{}' git tag --contains '{}' | sort -u
outputs these tags as having the fix:

    v6.18.22
    v6.18.23
    v6.18.24
    v6.18.25
    v6.19.12
    v6.19.13
    v6.19.14
    v7.0
    v7.0.1
    v7.0.2
    v7.0-rc7
    v7.1-rc1
phreackabout 2 hours ago
The page itself seems vibecoded and a bit of an advertisement, but it does look like the vulnerability is real and high risk. It does explain the big security update I just got, guess I'll prioritize updating today.
progvalabout 2 hours ago
So this replaces a SUID binary, in order to run as PID 0. The website claims it can escape "Kubernetes / container clusters" and "CI runners & build farms" but I don't see anything supporting the claim it can escape a container (or specifically, a user namespace).

I ran the exploit in rootless Podman, and predictably it doesn't escape the container.

They also claim their script "roots every Linux distribution shipped since 2017.", but only tested four; and it doesn't work on Alpine

john_strinlaiabout 2 hours ago
>The website claims it can escape "Kubernetes / container clusters" and "CI runners & build farms" but I don't see anything supporting the claim it can escape a container

they state that the write-up is forthcoming. presumably there is some additional steps or modifications that will be detailed in the 'part 2'.

"Next: "From Pod to Host," how Copy Fail escapes every major cloud Kubernetes platform."

tjbecker37 minutes ago
This is correct. The container escape exploit and writeup is not yet released.
layer8about 2 hours ago
The 2017 claim is based on the vulnerability having been introduced in this commit in the second half of 2017: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/lin...

The details will depend on whether the kernel is a newer release or a maintenance version of an older release.

amusingimpala75about 2 hours ago
Their PoC does as you say, but is built upon arbitrary modification of the page cache, which could be abused for the other things
progvalabout 2 hours ago
Ah indeed, it can be used to overwrite the page cache for files on read-only volumes.
microtherionabout 1 hour ago
It also doesn't work on Raspberry Pi, though presumably it could easily be made to; it does replace the su binary, but the replacement is not executable.
unsnap_bicepsabout 1 hour ago
It's patching the binary in memory, so the binary patch would be architecture dependent. The existing one is only x86_64, but with an updated payload, it would work on arm.
rcxdudeabout 2 hours ago
If you can get to real UID 0 from a rootless container, you can escape it, but you do need to take extra steps. Same with it working on Alpine: the underlying vulnerability probably still exists, but the script might need some adjusting. It's a PoC, not a full exploit for every situation.
embedding-shapeabout 2 hours ago
Did you try it on systems that don't have the patch already? Seems many distributions already shipped kernels with the patch ~a month ago.
progvalabout 2 hours ago
Yes. Alpine in rootless Podman doesn't work (after replacing "/usr/bin/su" with "/bin/su" in the .py, running the .py just doesn't do anything) while it does in Debian in rootless Podman on the same host.
erans19 minutes ago
For agents, if you are concerned about that, block access to "su" as it is interactive anyway. Not loading it into the memory will block the attack. If you are using AgentSH (https://www.agentsh.org) you can add a rule to block "su" and soon be able to block AF_ALG sockets if you want to further protect things.
bblbabout 2 hours ago
What is "RHEL 14.3"? Was this site a one shot prompt. Quality.
Advertisement
not_your_vaseabout 3 hours ago
Is there a readable version of the exploit readily available by any chance? Gotta admit that I failed binary-zip-interpretation-with-naked-eye class twice
progvalabout 3 hours ago
The binary "zip" isn't the exploit, it's the shellcode. The exploit is the rest, which changes the code of a SUID executable (su).
stackghostabout 1 hour ago
The call to zlib basically overwrites a minimal ELF into a portion of the `su` binary, which exceve's /bin/sh.
dgellowabout 2 hours ago
That’s the most AI-written page ever made
collinmandersonabout 1 hour ago
Yes. So cringy.
pixel_popping36 minutes ago
Yet, some people will still continue to say that "AI" isn't ready to replace (or strongly assist) our workflows, sure, some of the best humans devs left a vulnerability that serious (It's extremely serious, so many container as a service are vulnerable) for 9 years and an agent found it in 1 hour, maybe it's time to wake up and accept that it's UNSAFE to not use AI for security review as well?
collinmcnulty21 minutes ago
A human security researcher found the core issue and an agent searched for where to apply it. I don’t think “an agent found it in one hour” is a fair summary of what happened.
pixel_popping14 minutes ago
I was a bit rough, agreed, but the overall point is still correct, I kinda want to emphasize that I've also ran hundred of loops recently (combination of opus-4.6/gpt-5.4/gemini-3.1-pro-preview) toward a Rust codebase that we manage and that we deemed secure after many audits and found 2 serious issues as well in it, this was also audited externally by a third party that we've paid, which makes me genuinely scared of releasing anything without deep AI verification nowadays.

Anybody has the same feeling?

layer8about 2 hours ago
Debian page: https://security-tracker.debian.org/tracker/CVE-2026-31431
smlacyabout 2 hours ago
The fetishism of "byte count" (here, as "732 byte python script") needs to stop, especially when in a context like this where they're trying to illustrate a real failure modality.

Looking at their source code [1] it starts with this simple line:

import os as g,zlib,socket as s

And already I'm perplexed. "os as g"? but we're not aliasing "zlib as z"? Clearly this is auto-generated by some kind of minimizer? Likely because zlib is called only once, and os multiple times. As a code author/reviewer, I would never write "os as g" and I would absolutely never approve review of any code that used this.

Anyway, I could go on. :) Let's just stop fetishizing byte count

[1] https://github.com/theori-io/copy-fail-CVE-2026-31431/blob/m...

rts_cts9 minutes ago
I started to take the exploit script apart and reformat it to be something readable. At about 1041 bytes it's actually readable. The heart of it also includes an encoded zlib compressed blob that's 180 bytes long ('78daab77...'). This is decompressed (zlib.decompress(d(BLOB)) to a 160 byte ELF header.
debo_about 1 hour ago
I don't see it as fetishizing byte count. I think of it as a proxy measure for how complicated or uncomplicated the exploit might be. They could just as well have said "we can do it in 3 lines of python" or "the Shannon entropy of the script implementing the exploit is really small" and I would have interpreted it similarly.

Where do you see this "fetishizing" happening most often? It's a strange thing to counter-fetishize about.

layer835 minutes ago
> I think of it as a proxy measure for how complicated or uncomplicated the exploit might be.

From a Busy Beaver, 256-bytes compo, or Dwitter perspective, 732 bytes isn’t really that meaningful.

And the sample exploit is even optimizing the byte size by using zlib compression, which doesn’t make much sense for the purpose. It just emphasizes the byte count fetishization.

infogulch19 minutes ago
While I agree that it doesn't make much sense to use a minimizer on code the reader could understand, the code-golfed byte count of a CVE repro communicates its complexity in a certain visceral way.
tptacekabout 1 hour ago
I don't get the 732-byte thing either and while I think it's a relatively punchy and unusually informative landing page for named vulnerability there are little snags like this all over it.

But the fact that it's not a kernel-exec LPE and it's reliable across kernels and distributions is important; it's close to the maximum "exploitability" you're going to see with an LPE. Which the page does communicate effectively; it just gilds the lily.

tylerni735 minutes ago
yeah... definitely a bit of a rush to get the landing page out after a long time in the disclosure process. The folks putting this all together have been working like mad (finding the bug, disclosing, working a lot on patching, writing up POCs and verifying exploitability in different scenarios) and stayed up really late to finish up the landing page, which led to a lot of minor issues.

But the bug is real and people should patch :)

For the size: sometimes people will shove in kilobytes of offset tables or something into an exploit, so it'll fingerprint and then look up details to work. This is much smaller because it doesn't need any of that, which is important for severity. (I agree the "golf" nature is a bit of an aside, kind of like pwn2own exploits taking "10 seconds")

embedding-shapeabout 2 hours ago
> I would absolutely never approve review of any code that used this.

How often do you review, and subsequently block the release, of PoCs in this sort of context? Sounds like you've faced this a lot.

I always thought code quality mattered less in those, as long as you communicate the intent.

Xirdusabout 1 hour ago
If you have a choice between posting minimized exploit code, and posting regular exploit code, posting minimized code is virtually always the wrong choice.

If you have a choice between pointing out the byte size of the exploit, and not pointing out the byte size of the exploit, pointing it out is virtually always the wrong choice.

In both cases, doing the right thing is less work. So somebody is going the extra way to ensure they are doing it wrong. If they didn't care, they'd end up doing it right by default.

nvme0n1p117 minutes ago
> as long as you communicate the intent

How does "import os as g" communicate the intent? How does hiding the payload behind zlib communicate the intent? This is the opposite: obfuscating the intent, so they can brag about 732 bytes instead of 846 bytes (or whatever it might have been).

It would have been less work for everyone involved to just release the unminified source.

opelloabout 1 hour ago
While not formally reviewing code like this, I read a lot of it for fun. When it's clear and understandable, it's more educational and enjoyable. If the PoC code can also serve as a means of communication, that seems like an extra win.
tensegrist23 minutes ago
llms love that though

"The honest solution: a clean 50-line cut" and so on, ad nauseam

refulgentisabout 2 hours ago
It's just lazy AI* writing w/0 editing.

"Just" is doing a lot of work there, I'm so annoyed reading it.

It's like an anti-ad and they had pretty cool material to work with.

* Claude loves stacatto "Some numeric figure. Something else. Intensifier" (ex. the "exploitable for a decade." or whatever sentences)

bonziniabout 1 hour ago
Completely without editing, to the point of hallucinating a RHEL version (14.3) that doesn't exist.
tjbecker41 minutes ago
I recommend reading the technical writeup https://xint.io/blog/copy-fail-linux-distributions
ok123456about 1 hour ago
This is pretty legible compared to the 90s C rootshell.org exploits.
fragmedeabout 1 hour ago
> Anyway, I could go on.

Then go on. zlib is only used once, so "zlib as z" in exchange for using z once doesn't get you anything. Using os directly and not renaming it g saves you 2 bytes though. But in this age where AI outputs reams of code at the drop of a hat, why shouldn't we enjoy how small you can get it to pop a root shell?

https://gist.github.com/fragmede/4fb38fb822359b8f5914127c2fe...

edit: If we drop offset_src=0 and just pass in 0 positionally, it comes down to 720.

Banditoz24 minutes ago
>...why shouldn't we enjoy how small you can get it to pop a root shell?

Because I want to know what the exploit is doing and how it works, and if it's even safe to run.

A privesc PoC is NOT the place for this kind of fun.

akdev1l21 minutes ago
Agreed lmao the PoC itself looks like you’re getting attacked

Which I guess is true but I would like to verify the attack is the intended one

john_strinlaiabout 2 hours ago
>As a code author/reviewer, I would never write "os as g" and I would absolutely never approve review of any code that used this.

lucky for them, its an exploit script, not enterprise code.

all that needs to be "reviewed" is whether or not it exploits the thing its supposed to.

edit: yall really think a 10-line proof of concept script needs to undergo a code review? wild. i shouldnt be surprised that the top comment on a cool LPE exploit is complaining about variable naming

StableAlkyne29 minutes ago
It's just sloppy. Readers are human, and little mistakes like this take away from the article. Then you add a nonexistent RHEL version, and it just isn't a good look. Which is a shame, because it's otherwise a very interesting vuln.

Maybe you didn't care, but the length of this comment chain clearly shows that it matters. Effective communication is just as important as the engineering.

john_strinlai22 minutes ago
agreed regarding the RHEL version!

i just dont understand huffing and puffing over "os as g" in a 10-line poc script, and saying "well i would never approve this". its not enterprise code. its not code that will ever be used anywhere else, for anything. its sole purpose is to prove that the exploit is real, which it does!

the rest of the information is in the actual vulnerability report. the poc is a courtesy to the reportee, so that they can confirm that the report itself isnt bullshit.

evidently, given the downvotes i am getting, people think exploit scripts should be enterprise quality code. ¯\_(ツ)_/¯ half of the reports i see flowing through mailing lists dont even have a poc.

amazingly HN-like to be upset about a variable name

Xirdusabout 1 hour ago
I'd imagine that at minimum, the team in charge of patching the vulnerability would need to review how the exploit works.
john_strinlaiabout 1 hour ago
id imagine that they received more than just the poc in the report they received
rany_about 2 hours ago
Could this be used to root Android devices? Does Android ship with algif_aead?
alufers26 minutes ago
I rewrote it quickly to C [1] (and changed the embedded binary to be aarch64).

Unfortunately it fails on calling bind() on my device, so probalby Android doesn't ship with that kenrel module by default :(. So no freedom for my $40 phone.

Putting it out here, maybe somebody else will have better luck.

[1] https://gist.github.com/alufers/921cd6c4b606c5014d6cc61eefb0...

tripdoutabout 2 hours ago
There’s SELinux, everything is mounted nosuid, barely anything runs as root except init. I doubt it.
notpushkinabout 2 hours ago
I’ve poked around on my phone and it didn’t work:

    File "/data/data/com.termux/files/home/a.py", line 5, in c
      a=s.socket(38,5,0); # ...
    File "/data/data/com.termux/files/usr/lib/python3.13/socket.py", line 233, in __init__
      _socket.socket.__init__(self, family, type, proto, fileno)
      ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  PermissionError: [Errno 13] Permission denied
int0x29about 2 hours ago
I got line 5 to run and failed on line 8 due to lack of su. I'd need to find a user accessible setuid binary for it to work.

Traceback (most recent call last): File "/data/data/com.termux/files/home/exploit.py", line 8, in <module> f=g.open("/usr/bin/su",0);i=0;e=zlib.decompress(d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3")) ^^^^^^^^^^^^^^^^^^^^^^^ FileNotFoundError: [Errno 2] No such file or directory: '/usr/bin/su'

notpushkinabout 2 hours ago
Try /system/bin/ping
zb3about 2 hours ago
Android is smarter than setuid + system partitions aren't writable.
firerabout 2 hours ago
System partitions being non-writable has nothing to do with the vulnerability - it allows modifying the cache of any file that you can open for reading.

Not using setuid anywhere means you'd have to build a slightly more clever exploit, but it's still trivial - just modify some binary you know will run as root "soon".

But... I didn't check, but IIRC the untrusted_app secontext that apps run in is not allowed to open AF_ALG sockets - so you can't directly trigger the vulnerability as a malicious app. Although it might be possible in some roundabout way (requesting some more privileged crypto service to do so).

int0x29about 2 hours ago
Edit: Ignore this I overlooked calling order. It is indeed blocked

~~My allegedly fully patched pixel 8 pro allowed an AF_ALG socket to open under termux without virtualization so I'm not sure the last but is true~~

zb3about 1 hour ago
Ah, I blindly assumed such memory would be mapped readonly...
int0x29about 2 hours ago
Its not writing to the partition though is it? It is polluting the cache page via a write with a buffer overrun in the kernel. I don't think buffer overruns follow permissions.
zb3about 1 hour ago
I assumed such memory would be mapped readonly (PROT_READ), without actually looking into it..
skilledabout 3 hours ago
This looks like an extraordinary find at first glance.

Does this mean you can go from a basic web shell from a shared hosting account to root? I can see how that could wreak havoc really quickly.

barbegalabout 2 hours ago
Yes I would imagine lots of those type of services would be vulnerable if they hadn't updated to the latest kernel versions.
stackghostabout 2 hours ago
As of this comment, Debian Stable ("Trixie", though I hate codenames) doesn't have a fix in place and remains vulnerable, or at least their CVE tracker shows it as such:

https://security-tracker.debian.org/tracker/CVE-2026-31431

bananamogulabout 2 hours ago
"Debian Stable ("Trixie", though I hate codenames)"

You can also call it Debian 13.

corvadabout 3 hours ago
If this is verified, this is a very big deal. Root access on any shared computer. Additionally do we know what kernel versions and stable versions have the patch?
Tuna-Fishabout 2 hours ago
I just tested on my home server running ubuntu 24.04 LTS with newest kernel from repositories, got root.
Avamanderabout 1 hour ago
Can Livepatch mitigate this or is it already? I don't know where to look this up.
Tuna-Fish18 minutes ago
I used the mitigation from this CVE report to turn off AF_ALG.
tjbecker36 minutes ago
For this crowd, I highly suggest checking out the technical writeup

https://xint.io/blog/copy-fail-linux-distributions

Lorinabout 3 hours ago
What is the rationale behind naming CVEs and individual domains? Marketing?
diathabout 2 hours ago
It's an advertisement for their tool that found the exploit: https://copy.fail/#contact, https://xint.io/products/xint-code
evanjrowleyabout 3 hours ago
The AI generated prose screams marketing. Marketing is why there's a "Contact our Security Team" form at the bottom of the page.
john_strinlaiabout 3 hours ago
can you remember what CVE-2021-44228 is without looking it up? CVE-2014-6271? CVE-2017-5753?

i bet if i told you their names, you would instantly know what vulns those are.

its easier to talk about things with names. it hurts no one. it takes approximately no effort or time.

CVEs are, for whatever reason, like the only thing on the planet that people seem to have a problem with when they receive a name. i am not sure why.

QuantumNomad_about 2 hours ago
> CVEs are, for whatever reason, like the only thing on the planet that people seem to have a problem with when they receive a name. i am not sure why.

What, you guys talk about books based on their “title” instead of just memorising the ISBN of each book? Pssh, count me disappointed!

john_strinlaiabout 2 hours ago
after work i have to stop at Y87794H0US1R65VBXU25 for some groceries.
skilledabout 3 hours ago
Probably to some extent it is marketing, but generally it has to do with significant bug finds to get the message out to the people who need to apply patches and/or be informed. Heartbleed, Log4Shell, etc.

Very few CVE’s get names dedicated to them like this, because usually when they do - it is very serious, as in this case.

tptacekabout 2 hours ago
It's certainly marketing, but it's prosocial: there's no scarcity of names, and "copy.fail" is much easier to remember and talk about than "CVE-2026-31431".
eddythompson80about 2 hours ago
Giving catchy names for bad exploits has been a thing for a while. Probably to make sure it's easy to reference and make sure you're patches as opposed to passing numbers around. Heartbleed, Shellshock, BEAST, Goto Fail, etc
dgellowabout 2 hours ago
Yes, originally it was to help spread awareness. Now it has become more of a gimmick I would say
ronsorabout 3 hours ago
It makes sure people don't forget about the vulnerabilities, at least
Fuzzbitabout 3 hours ago
Same reason they name storms, numbers scare normies
Advertisement
aniouabout 1 hour ago
Looks like a LLM hallucination - there is no thing like "RHEL 14.3", although referenced kernel signature (6.12.0-124.45.1.el10_1) contains reference to real RHEL release, i.e. 10.1.
deep2secureabout 1 hour ago
I checked it. Very nice efforts made to create it
chasilabout 2 hours ago
On the downside, I need to push new kernels to all my servers.

On this bright side, does this mean Magisk is coming to all unpatched Android phones?

akdev1l35 minutes ago
No, Android doesn’t have suid binaries to exploit like in the PoC
porridgeraisinabout 3 hours ago
Better explanation of the write up (still from original exploit author) : https://xint.io/blog/copy-fail-linux-distributions
w2seraphabout 2 hours ago
holy smokes it just rooted my just installed from ISO Ubuntu server
TehCorwizabout 2 hours ago
It does not behave as described on EndeavorOS (arch-based) running kernel 6.19.14-arch1-1. I receive the error:

Password: su: Authentication token manipulation error

I'm guessing this means it's already patched?

john_strinlaiabout 2 hours ago
yes, it was reported on march 23rd, patches on april 1.

you are reading about it now because it has been patched.

marshrayabout 2 hours ago
No it hasn't.

Ubuntu before 26.04 LTS (released a week ago) are currently listed as vulnerable.

Debian other than forky and sid are currently listed as vulnerable.

This is a disgrace.

john_strinlaiabout 2 hours ago
Disclosure timeline

    2026-03-23Reported to Linux kernel security team
    2026-03-24Initial acknowledgment
    2026-03-25Patches proposed and reviewed
    2026-04-01Patch committed to mainline
    2026-04-22CVE-2026-31431 assigned
    2026-04-29Public disclosure (https://copy.fail/)
kernel 6.19.14-arch1-1, the kernel in question from the parent comment, has been patched.
dimastopelabout 2 hours ago
same result on my arch machine as well.
Ekarosabout 3 hours ago
So this could be usable in lot of places with Python and Linux running? Not that I have too many Linux devices around. Still, might be handy sometimes on personal devices.
kroabout 2 hours ago
This can likely be shipped as binary code without dependencies like python, as the bug is in the kernel.
SteveNutsabout 2 hours ago
There's nothing specific about this related to Python, that's just demonstrating how it works.

This is usable anywhere on an affected Kernel version

krunckabout 1 hour ago
Wow. I tried it on an old testing VM of Ubuntu 24.04 that had not been touched for a few months. Instant root with the bonus that any user that runs "su" gets root too. I updated the VM thinking it would be fixed afterward. Nope.
akdev1l34 minutes ago
You’d have to reinstall the su binary itself I guess
cyberpunk9 minutes ago
It just changes the page cache for the su binary, a reboot will revert it.
DetroitThrowabout 2 hours ago
Despite the copy/images being weird about RHEL 14.3, this seems to work. Wow?
themafiaabout 2 hours ago
> If your kernel was built between 2017 and the patch

This is why I compile my own kernel. I disable things I don't use. If it's not present it can't hurt you.

> block AF_ALG socket creation via seccomp regardless of patch state.

Likewise I use seccomp to only allow syscalls that are necessary. Everything else is disabled. In the programs I have that need to connect to a backend socket, that is done, and then socket creation is disabled.

Advertisement
dist-epochabout 1 hour ago
> Will you release the full PoC?

> Yes — it's on this page. We held it for a month while distros prepared patches; the major builds are out as of this writing.

There is no update available for Ubuntu 24, PoC works and just tried updating.

charcircuitabout 2 hours ago
SUID binaries once again assisted a local privilege escalation attack. This is a major problem that distros can't keep ignoring.
baggy_troughabout 3 hours ago
Is this fixed in any stable release kernel yet?
Wingyabout 2 hours ago
7.0-rc1 has a tag with it:

    % git describe a664bf3d603d
    v7.0-rc1-10-ga664bf3d603d
I suspect this means the stable 7.0 has it too.
maxtacoabout 2 hours ago
Use extreme caution running arbitrary code on your machines, especially obfuscated code that tickles kernel bugs! (edited)
stackghostabout 2 hours ago
Analysis of the POC concurs with my tests that confirm that the portion of `su` that gets overwritten does not survive a reboot.
wang_li22 minutes ago
it's living in your page cache, not on your disk. flush the caches and it'll disappear.
charcircuitabout 2 hours ago
The page explicitly describes that it is stealthy as it does not make permanent changes, only corrupting the binary in memory.