Microsoft Issues Warning About Linux 'Copy Fail' Vulnerability (linux-magazine.com) 27
joshuark shares a report from Linux Magazine: Microsoft has issued a warning that a vulnerability with a CVSS score of 7.8 has been found in the Linux kernel. The vulnerability in question is tagged CVE-2026-31431 and, according to the Cybersecurity and Infrastructure Security Agency (CISA), "This Linux Kernel Incorrect Resource Transfer Between Spheres Vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise."
The distributions affected are Ubuntu, Red Hat, SUSE, Debian, Fedora, Arch Linux, and Amazon Linux. This could also affect any distribution based on those in the list, which means pretty much every Linux distro that isn't independent. The flaw is found in the Linux kernel cryptographic subsystem's algif_aead module of AF_ALG. The problem is that a particular optimization has led to the kernel reusing the source memory as the destination during cryptographic operations. What this means is that attackers can take advantage of interactions between the AF_ALG socket interface and a splice() system call. Until patches are released, Microsoft is advising that the affected crypto feature should be disabled, or AF_ALG socket creation should be blocked. The vulnerability is also known as "Copy Fail," which has been shared on Slashdot and detailed in a technical report. The vulnerability affects almost every version of the Linux OS and is now being exploited in the wild. U.S. cybersecurity agency CISA has ordered all civilian federal agencies to patch any affected systems by May 15.
The distributions affected are Ubuntu, Red Hat, SUSE, Debian, Fedora, Arch Linux, and Amazon Linux. This could also affect any distribution based on those in the list, which means pretty much every Linux distro that isn't independent. The flaw is found in the Linux kernel cryptographic subsystem's algif_aead module of AF_ALG. The problem is that a particular optimization has led to the kernel reusing the source memory as the destination during cryptographic operations. What this means is that attackers can take advantage of interactions between the AF_ALG socket interface and a splice() system call. Until patches are released, Microsoft is advising that the affected crypto feature should be disabled, or AF_ALG socket creation should be blocked. The vulnerability is also known as "Copy Fail," which has been shared on Slashdot and detailed in a technical report. The vulnerability affects almost every version of the Linux OS and is now being exploited in the wild. U.S. cybersecurity agency CISA has ordered all civilian federal agencies to patch any affected systems by May 15.
Re:Friendly reminder (Score:4, Informative)
First, the report is a few days late....
Second, the /etc/modprobe.d mitigation DOES NOT WORK on Red Hat Enterprise Linux. The affected module is compiled into the kernel, and must be disabled using kernel boot parameters.
/proc/cmdline | grep initcall_blacklist
implement: grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"
reboot required
verify: cat
revert: grubby --update-kernel=ALL --remove-args="initcall_blacklist=algif_aead_init"
Kernel updates for RHEL 8,9 and 10 have been released. Ubuntu hasn't released anything except kmod fixes yet.
Re: (Score:2)
Why?
Re: Friendly reminder (Score:2)
Re: (Score:1)
No. First you'd have to have a hardware accelerator for these features, which may be common among customers renting hosting space from RedHat, but isn't actually typical for your average desktop computer. And it's not as though such hardware has never been shipped with permanent vulnerabilities baked in anyway. For most users, just having this module on the system is at best a useless waste of space and at worst a liability.
Re: Friendly reminder (Score:2)
Hm? Wasnâ(TM)t AES-NI introduced in Sandy Bridge?
Re: (Score:2)
My uptime, on the machine I'm posting from, is nearing a year, and this module has never been loaded. So, no, 100% of users apparently don't need this, at all.
Re: (Score:2)
Re: (Score:2)
Because this vulnerability impacts a large swath of Linux devices, it is strongly recommended to do the following:
Shocked, a late security announcement from MS (Score:1)
First, the report is a few days late....
I am shocked that a security announcement from MS is late. :-)
Re: (Score:2)
The Microsoft article was posted on May 1st [archive.org] and links to the Red Hat article (for which the solution is behind their paywall). And directs people to apply the vendor's patches or guidance if possible instead of manual settings changes.
Re: Friendly reminder (Score:2)
While you're at it, you also need to block installing esp4, esp6, and rxrpc, for, y'know, reasons.
What gives? (Score:3)
This is literally the third /. mention of this in a very short period of time, nevermind the fact that it's been broadcast literally everywhere and is the biggest security vuln found since sliced bread (or heartbleed). It's been fixed and available for "ages" now on every major distro.
Re: (Score:3)
This is literally the third /. mention of this in a very short period of time, nevermind the fact that it's been broadcast literally everywhere and is the biggest security vuln found since sliced bread (or heartbleed). It's been fixed and available for "ages" now on every major distro.
One would almost begin to suspect that there is a vested interest in making Linux appear to be far more vulnerable than the "alternatives" to Linux.
Re: (Score:3)
Not for ages. Less than a week. For many, that's not time enough to get the patch.
OTOH, it's a local vulnerability, so many systems aren't affected. I've got one that hasn't been hooked up to the internet in well over a month, and it won't be affected until the next time it's hooked up. (I may do a reinstall before then.)
Re: (Score:2)
Also, why the fuck is it news that Microsoft is posting about it? TFS or TFA give absolutely no indication as to why.
This is just a dupe, nothing more.
Re: (Score:2)
Also, why the fuck is it news that Microsoft is posting about it? TFS or TFA give absolutely no indication as to why.
This is just a dupe, nothing more.
Because M$ is THE EXPERT on vulnerabilities.
Re: (Score:2)
our apologies, sir. would you prefer a slashvertisement instead?
Re: (Score:2)
Naughty EU (Score:1)
Pffft... (Score:4, Informative)
Old news and 3 times on Slashdot. The new kids have already moved on to Dirty Frag [github.com], a new Linux local privilege escalation vulnerability.
Re: (Score:2)
The new kids have already moved on to Dirty Frag [github.com], a new Linux local privilege escalation vulnerability.
Question is, who's the jackass that broke the embargo on this one?
Not news (Score:5, Informative)
The article doesn't even link to the Microsoft article [microsoft.com], which is on the Microsoft Defender blog. This isn't a huge surprise since that's Microsoft's security product that covers cloud servers including in Azure, AWS and GCP [microsoft.com].
So the sub-text of this being Microsoft pointing out Linux vulns is pretty silly since Microsoft makes a lot of money off of people running Linux on their cloud and on their competitors' kit. Outside of that, the rest of this has already been covered.
Just wait until they discover dirty frag (Score:1)
https://dirtyfrag.io. Nearly the same vulnerability, different access vector.