TechPulseTechPulse
Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

54% Positive

Analyzed from 1451 words in the discussion.

Trending Topics

#https#com#security#rust#linux#llm#code#already#cves#find

Discussion (88 Comments)Read Original on HackerNews

somebudyelseabout 1 hour ago
Let's see... That's 4 Linux LPEs in the last 10 days?

Copy Fail [1]

Copy Fail 2: Electric Boogaloo [2]

Dirty Frag [3]

And now this...

[1]: https://copy.fail

[2]: https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boo...

[3]: https://github.com/V4bel/dirtyfrag

FriedFishesabout 6 hours ago
I can't quite make out if this is new or not. The attack vector here seems congruent with a similar exploit from a couple months ago [1]

But still might be an open threat. On the email thread Jens seems to think that this is already patched and in stable, he also points out that for this exploit to work (as written in the article) you already need escalated privileges [2] Catchy title though.

[1] https://snailsploit.com/security-research/general/io-uring-z...

[2] https://seclists.org/oss-sec/2026/q2/448

pamcakeabout 3 hours ago
This kind of post really shouldn't require client-side js — from third-party domain — to read...

static markdown version: https://raw.githubusercontent.com/ze3tar/ze3tar.github.io/9d...

javascripthaterabout 2 hours ago
big ups pimp
rishabhaioverabout 6 hours ago
What is happening? I see multiple outages and CVEs is being reported on HN's front page. I've never seen these many security/incident related posts on HN's front page.
spindump8930about 6 hours ago
Some combination of reporting bias given concerns about LLM security capabilities and actual new vulnerabilities found with LLM assistance. Even if exploits and outages are unrelated to LLMs, I'm certainly thinking about whether claude could build these things (or if actors already have).
NitpickLawyerabout 6 hours ago
> What is happening?

Slowly at first, and then suddenly. AI assisted anything follows this trend. As capabilities improve, new avenues become "good enough" to automate. Today is security.

elijaabout 1 hour ago
In some sense, I wonder if non-open-source is "safer" since LLMs can't mass scan the code for exploits.
john_strinlaiabout 6 hours ago
i believe a good portion of the cves hitting the front page are moreso because they are ai-related (found partially/in whole by ai) and make for quick upvotes.
majorchordabout 6 hours ago
AI is happening.
cachiusabout 6 hours ago
In each recent case?
gordonhartabout 6 hours ago
AI assistance was explicitly disclosed on yesterday's. Today's has Claude as one of two contributors on this GitHub Pages site at least so it's also very likely.

Agents are capable of finding this kind of stuff now and people are having a field day using them to find high-profile CVEs for fun or profit.

sva_about 2 hours ago
A mix of AI and hybrid warfare.
gilrainabout 6 hours ago
Automated vulnerability discovery via LLM.
ryandrakeabout 4 hours ago
Anyone care to share which models and which prompts actually lead to finding these kinds of vulnerabilities? Or the narrowing-down workflow that can get an LLM to discover them? Surely just telling claude "Find all vulnerabilities in this project LOL" isn't enough? I hope?
Arcuruabout 3 hours ago
The Anthropic researchers have said their flow is as simple as:

1. Pick a file to seed as a starting place.

2. Ask the LLM (in an agent harness) to find a vulnerability by starting there.

3. If it claims to have found something, ask another one to create an exploit/verify it/prove it or whatever.

4. If both conclude there is a vuln, then with the latest models you almost certainly found something real.

Just run it against every file in a repo, or select a subset, or have an LLM select files with a simple "what X files look likely to have vulns?".

So basically yes, it is that simple. It's just a matter of having the money to pay for the tokens.

pixl97about 5 hours ago
Everyone was talking about how Mythos was overblown marketing, and while it may be, they missed the forest for the trees. Capabilities have been escalating for a year now and we're at the point of widespread impact. I don't suspect we'll see a slowdown for a long time.
themafiaabout 3 hours ago
Perhaps it was the prior quiescent period that was the anomaly.
stonegrayabout 6 hours ago
> “and is writable with CAP_SYS_ADMIN”

Am I reading this wrong or is this just a way of executing an arbitrary binary with uid=0 if you have both CAP_NET_ADMIN and CAP_SYS_ADMIN?

If you can write modprobe_path, is it really news that you can find a way to execute code?

PlasmaPowerabout 5 hours ago
No, you can grant yourself this inside an unprivileged user namespace. `unshare -Ur capsh --print` lists the capabilities inside a user namespace and demonstrates that it has both CAP_SYS_ADMIN and CAP_NET_ADMIN.

Almost all distros allow unprivileged user namespaces, and in my opinion this is the right decision, because they're important for browser sandboxing which I think is more important than LPEs.

delusionalabout 4 hours ago
I don't think namepsace CAP_SYS_ADMIM grants you access to write non namespaces sysctls like modprobe_path
PlasmaPowerabout 2 hours ago
You're probably right, but that seems like the less important part of this. At that point you've already got an out-of-bounds write. Another comment speculated that you could use PageJack as an alternative exploit path once you have that primitive: https://news.ycombinator.com/item?id=48069623
pizzalifeabout 6 hours ago
Right. `CAP_SYS_ADMIN` is for all intents and purposes equivalent to root.
kroabout 6 hours ago
CAP_NET/SYS_ADMIN is required for this. So this would be "not as bad" as the others.
kamabout 4 hours ago
Also "The page pool is only created on a real ZCRX-capable NIC (mlx5 ConnectX-6+, Intel E800, NFP)"
t0mas88about 5 hours ago
It could work for container escape?
staticassertionabout 7 hours ago
io-uring is a security nightmare. Constant privescs and a powerful primitive for syscall smuggling. Worth considering disabling it outright (already the case for most containers afaik).
otterleyabout 6 hours ago
At one point, Google disabled io_uring on its production servers (https://security.googleblog.com/2023/06/learnings-from-kctf-...) - I don't know whether this is still true, though. Perhaps a Google can confirm.
vsgherziabout 5 hours ago
super curious on this one as well, last I heard they've been enabling it slowly
dundariousabout 3 hours ago
How many systems have the relevant NICs, and followed the non-automatic setup steps in https://docs.kernel.org/networking/iou-zcrx.html, and are not running within a VM/container disabling io_uring?

This seems on the low impact end of the numerous historical io_uring issues.

Interesting and important all the same.

shordenabout 4 hours ago
Interesting, I haven't tested this myself but intuitively I think that a 4 byte OOB write is plenty for a data-only attack like [PageJack](https://i.blackhat.com/BH-US-24/Presentations/US24-Qian-Page...), so I don't think hardening against the KASLR leaks discussed in OP would necessarily save you from this attack.
csmantleabout 3 hours ago
I first read this from the author's posting to oss-security. Turns out that the author did agree to revise the blog post for the "admin cap for root shell" part [^0]. [^1] would probably tell more.

The title looks like clickbait to me.

[^0]: https://www.openwall.com/lists/oss-security/2026/05/08/10

[^1]: https://www.openwall.com/lists/oss-security/2026/05/08/14

saghmabout 5 hours ago
[flagged]
musicaleabout 4 hours ago
> "No way to prevent this", Says Only Language Where This Regularly Happens

   clang -fbounds-safety ...
also see lib0xc etc.: https://news.ycombinator.com/item?id=47978834
dataflowabout 2 hours ago
NOTE: This is a design document and the feature is not available for users yet.

https://clang.llvm.org/docs/BoundsSafety.html

dvtabout 5 hours ago
Obviously the way to prevent this is by bounds checking, which is literally in the `770594e` patch. It's just a bug and they happen routinely in all languages. Since this is doing pointer arithmetic, it could just as easily happen in unsafe Rust, for example.
gpmabout 5 hours ago
Like they said, "no way to prevent this" (kind of bug from happening again).
mikestorrentabout 5 hours ago
Static analysis and other tools can find this, but they're expensive; wonder what the kernel team has access to?
elliehabout 4 hours ago
sure, but with unsafe Rust you have a very clear marking for the section of code that requires additional care and attention. it is also customary to include a "SAFETY" comment outlining why using unsafe is OK here
dvtabout 4 hours ago
You actually kind of don't, I use like a zillion crates which have unsafe Rust in them and it's not like I'm sitting here reading every single line of their code. I like Rust for various reasons, but its memory safety is (imo) overstated, especially when doing low-level stuff.
amlutoabout 4 hours ago
But one would have to explicitly choose to use unsafe Rust for this instead of ordinary safe Rust. And safe Rust has no particular difficulty writing to slots in an array or slice or vector specified by their index.
skulloneabout 4 hours ago
except nearly everyone uses unsafe rust
Rygianabout 4 hours ago
That's not prevention. That's remediation.
slopinthebagabout 1 hour ago
Surely nobody could create a better language in 50 years. Surely we can't fix these issues.
themafiaabout 3 hours ago
And you see a lot of other languages being used to create operating systems with complicated multiprocessor and locking semantics?
Advertisement
JoeDohnabout 2 hours ago
So this is another CVE? Or am I misreading this one? "Copy‑fail", "DirtyFrag", now "IUrinegOnYou :)"?

Joke aside, we'll see more CVEs in the coming months, and in a sense that's good: it leaves less maneuvering room for bad actors (especially those selling them to the highest bidder).

ctothabout 3 hours ago
If this many are public right now, what does that say about the dark matter of private ones? What's the typical public-private rate for this sort of thing/can someone help me calibrate my base rate expectations?
SubiculumCodeabout 5 hours ago
Do most servers need this? Or can most of us 'sysctl -w kernel.io_uring_disabled=2 ' ?
himata4113about 2 hours ago
high privilege access required (CAP/NET admin), containers / sandboxing wins once again.

Can we make sandboxing the new default now? Flatpak does a good job, but we're still pretty far away for apt/yum/pacman installed packages. AppArmor was a decent step forward, but clearly not enough.

baqabout 6 hours ago
What’s our prior for p(doom) today…?
rvzabout 7 hours ago
Another one.

Linux is falling apart faster than it can assign these CVEs.

hn92726819about 6 hours ago
Falling apart? You mean getting stronger? Every single one of these is an existing hole being patched. It isn't making new holes
Gigachadabout 3 hours ago
Government agencies probably already have half of these exploits in their private toolbox for years now. Finding and patching them is good, but there probably needs to be some systematic change to prevent them rather than just patching bugs when they get found.
gordonhartabout 6 hours ago
Linux is "falling apart" because it's the highest-profile open source project people can point LLM agents at to find CVEs. It'll come out the other end of this hardened by all of the attention it's getting, but the next few months/years will be... bumpy.
maven29about 6 hours ago
perhaps this will lead to better AppArmor and SELinux defaults?
ChocolateGodabout 6 hours ago
People will just turn SELinux off rather than have to go through the horrible tooling when it breaks a regular use case.
yjftsjthsd-habout 6 hours ago
I do think SELinux is a good example of how robust software with poor UX/DX gets undermined by that poor UX/DX. Although I do wonder if AI can help with it?
EGregabout 6 hours ago
How's BSD doing? How about Amazon Linux?
yjftsjthsd-habout 6 hours ago
Amazon Linux is a Linux distro? Though, yes, I would like to know how the BSDs are doing.
otterleyabout 6 hours ago
Yes, it's a fork of Fedora. https://docs.aws.amazon.com/linux/al2023/ug/what-is-amazon-l...
toast0about 6 hours ago
FreeBSD is getting piles of security updates lately too. Not sure about the other BSDs.
cachiusabout 6 hours ago
And Windows?
mschuster91about 6 hours ago
Pray to God no one ever lets an AI agent run loose on the various leaked Windows source code dumps.

Given Windows' absurd amount of backwards compatibility, chances are pretty high that there are a lot of sleeping dragons buried inside even modern Windows 10/11 kernel and userland that date back to code and issues from the 90s - code where half the people who have worked on it probably not just have departed Microsoft but departed living in the meantime.