So CopyFail CVE-2026-31431 is a thing.
-
@ariadne @joshbressers @gregkh @wdormann @Viss @andrewnez @Di4na If only we had some sort of... "Open Source" Vulnerability Database.. as a clearing house. Some sort of non-profit org could maintain it probably
someone should get on that
-waits for attacks from angry squirrels-
@ra6bit @ariadne @joshbressers @gregkh @wdormann @Viss @andrewnez @Di4na And then we could have spectacular arguments about what to assign those vulnerabilities where finders argue for maxing out everything even when the vuln is unreachable in practice. (*screaming from the curl maintainers in the distance*)
-
@siddhesh_p @gregkh @wdormann @Viss
Every project is really its own ecosystem
I think glibc does a really good job with CVEs
But I suspect if you go from 12 a year to 12 a month your process will have to change
It's possible you would adopt the "give it a CVE and move on" approach, or because there is so much attention from the distros you could get some extra help to deal with the volume
@joshbressers @gregkh @wdormann @Viss I'm not so sure, I just think there's a vast enough distance between the Linux kernel experience and pretty much any other project when it comes to security handling: volume, nature of reports, density of known exploitable issues. etc. that there aren't really any reasonable parallels to be drawn. I wouldn't think of throwing security policies, CVE evaluation or coordinated disclosure out because the kernel can't find a way to do it in a way that they like.
-
@joshbressers @gregkh @wdormann @Viss I'm not so sure, I just think there's a vast enough distance between the Linux kernel experience and pretty much any other project when it comes to security handling: volume, nature of reports, density of known exploitable issues. etc. that there aren't really any reasonable parallels to be drawn. I wouldn't think of throwing security policies, CVE evaluation or coordinated disclosure out because the kernel can't find a way to do it in a way that they like.
@joshbressers @gregkh @wdormann @Viss and $0.02, security policies are pretty much our first line of defence for security issues for the GNU toolchain, where we try to identify clearly what constitutes a security issues. It also makes it clear to users how to use the tools and API securely. I don't think there's a reasonable equivalent for that for the kernel. One could try, but given that it's a privileged program that's involved in everything, it would be a largely pointless effort.
-
@joshbressers @gregkh @wdormann @Viss and $0.02, security policies are pretty much our first line of defence for security issues for the GNU toolchain, where we try to identify clearly what constitutes a security issues. It also makes it clear to users how to use the tools and API securely. I don't think there's a reasonable equivalent for that for the kernel. One could try, but given that it's a privileged program that's involved in everything, it would be a largely pointless effort.
@joshbressers @gregkh @wdormann @Viss but I'd love to see someone trying, it would be an interesting grad research project I think.
-
What went wrong with this case?
Theori appear to have only contacted the linux kernel devs with the vulnerability, as opposed to going the usual CVD route that includes all of the major Linux distros.
Why is this a problem? Since the linux kernel became a CNA, there has been a flood of CVEs for the Linux kernel. The Linux kernel devs' arguments is that any given kernel flaw could presumably be leveraged to behave as a vulnerability, and it's not worth their time to determine "vulnerability" or "not a vulnerability". Everything gets a CVE.
Now the case with copy.fail? It was indeed reported to the kernel devs. And it got a CVE. A single CVE buried in flood of all of the Linux kernel CVEs.
And it appears that every distro on the planet was blindsided by this proven-exploitable vulnerability because they were not given any warning. Or even any suggestion to pick this single CVE out of the sea of Linux kernel CVEs as worth cherry picking.
Much to the chagrin of the Linux devs, RHEL doesn't use up-to-date Linux kernels. They cherry pick CVEs to backport to their chosen kernel version. (e.g. the latest and greates RHEL 10.1 uses 6.12.0, which was released November 17 2024). And in this world where bad actors like Theori don't involve vendors in vulnerability coordination, and just about every Linux kernel bug gets a CVE, this workflow fails. Hard.
Good times...
@wdormann but it affects only systems with local users that can run malicious code. and this is only hosters of virtual users, in general. the most systems are not the case to concern with this "vulnerability".
common users and servers that don't use virtualization for third-party clients may do just nothing about this. this is not their case. -
This post got into my head. I think you're right, the days of coordination are over
So I wrote it down
https://opensourcesecurity.io/2026/05-vulnerability-economics/Interesting take, and probably more right than wrong. I particularly like the last paragraph. One thing to keep in mind in this brave new world:
"My only real suggestion is try not to burn yourself out and be nice to each other. Everyone is going to have it rough, it’s not just you. We probably need a support group or something."
-
While this vulnerability seems to be discovered using AI ("Xint Code"), I have to assume that they also let the AI decide how to do the vulnerability coordination as well.
major builds are out as of this writing
No distros have official updates for CVE-2026-31431. Fedora 42 and newer have updates, but no official advisory or acknowledgement of CVE-2026-31431. So with them it's unclear if it's even intentional. Red Hat, Ubuntu, Amazon Linux, and Suse all have advisories as of now, but NO updates.disable the algif_aead moduleas a mitigation.
Bespoke distros like RHEL don't use a module, it's compiled into the kernel.
I can't figure out what the Xint Code angle is with this copyfail stuff. On one hand, yes, it is a true vulnerability that affects a LOT of Linux distros available. And they did submit the bug for fixing to the upstream kernel people.
BUT the CVE has only existed for a week. And NONE of the distros IN THEIR ADVISORY had updates available at the time that they pulled the trigger for publication of the shiny copy.fail website.
I struggle to think of how this even happens. In all my years of infosec, you're either on board with doing CVD (e.g. coordinating with the former CERT/CC) or you're not (dropping 0day). But this all fits bizarrely in the middle. The publication gives the guise that they did the right thing, (and please use our AI services). But at the same time, they clearly chose to release the vulnerability details and functional exploit before any distro had the ability to properly do anything about it.
Either these Xint Code (Theori) people have a hidden agenda or ulterior motive that we aren't aware of yet. Or they're just really bad at coordinated vulnerability disclosure. You pick.
@wdormann can confirm. in alpine we had to figure out which stable kernels already had a backport. the disclosure was not well executed.
-
@wdormann sorry this is off topic, but this is the first time i've ever seen anyone using the stock xfce layout
Most likely just a tiny pre-configured base Debian and RHEL images, with the smallest desktop environment available. Used to kick off a disposable VMs to test exploits in a safer and more controlled environment. Once the testing is done, the image for that particular VM is deleted.
I wouldn't expect a minute more than absolutely needed was spent to configure the desktop.
At least that's what I prefer to do.
-
@ariadne @joshbressers @gregkh @wdormann @Viss @andrewnez @Di4na If only we had some sort of... "Open Source" Vulnerability Database.. as a clearing house. Some sort of non-profit org could maintain it probably
someone should get on that
-waits for attacks from angry squirrels-
@ra6bit @ariadne @joshbressers @gregkh @wdormann @Viss @andrewnez @Di4na this indeed.
We (both as in we the people, and we the capitalistic rat race that is addicted to hypes) do not want to pay for things perceived as free until these things suddenly backfire.
-
@ra6bit @ariadne @joshbressers @gregkh @wdormann @Viss @andrewnez @Di4na this indeed.
We (both as in we the people, and we the capitalistic rat race that is addicted to hypes) do not want to pay for things perceived as free until these things suddenly backfire.
@wiert @ra6bit @ariadne @joshbressers @gregkh @wdormann @Viss @andrewnez i would love explanations of Patreons or Twitch subscription then.
Maaaaaaybe this is a useful lie-for-children and there are other mechanisms at play.
Maaaaaaaaaaayyyyyyyybe
-
@gregkh @icing @joshbressers @wdormann @Viss "it is not easy to decide who should be on the list, so we can not even have list with Linux distros hat should obviously be on list" argument seems rather unconvincing though.
@uecker @icing @joshbressers @wdormann @Viss Why is it unconvincing? Who decides what group is on,or is not on, such a list? Your government? My governments? Their government? No government? Me? You? Someone else? And what is the criteria exactly for how?
See how it breaks down when it hits the real world?
As I have said many times, "All early-announce lists are a leak, otherwise why would your government allow it to exist?" -
@uecker @icing @joshbressers @wdormann @Viss Why is it unconvincing? Who decides what group is on,or is not on, such a list? Your government? My governments? Their government? No government? Me? You? Someone else? And what is the criteria exactly for how?
See how it breaks down when it hits the real world?
As I have said many times, "All early-announce lists are a leak, otherwise why would your government allow it to exist?"@gregkh @uecker @Viss @icing @joshbressers @wdormann Heh, that's @uecker style of raising FUD, without actual arguments why it supposed to be unconvincing.
Here https://social.kernel.org/notice/B5gj02TzcQaDMcTpc8 supposedly individual (hobbyist) contributors have somehow obstacles from contributing just because some big companies are implementing changes matching their needs.
No facts or arguments why it would be more difficult for the hobbyist just statement "makes it more costly for others to contribute".
No facts why inability to create such list is unconvincing. It is just "unconvincing".
It's easy to discuss like that - object to anything, even to actual arguments, but without providing anything backing up one's statement. -
@uecker @icing @joshbressers @wdormann @Viss Why is it unconvincing? Who decides what group is on,or is not on, such a list? Your government? My governments? Their government? No government? Me? You? Someone else? And what is the criteria exactly for how?
See how it breaks down when it hits the real world?
As I have said many times, "All early-announce lists are a leak, otherwise why would your government allow it to exist?"@gregkh @icing @joshbressers @wdormann @Viss I would imagine that the Linux foundation could assemble some experts that together agree on some objective criteria and a process and based on this organizations / projects are accepted to the list. Seeing such self-organization working in many other areas, I would expect that this is possible. But maybe there are reasons why I am wrong.
-
@gregkh @uecker @Viss @icing @joshbressers @wdormann Heh, that's @uecker style of raising FUD, without actual arguments why it supposed to be unconvincing.
Here https://social.kernel.org/notice/B5gj02TzcQaDMcTpc8 supposedly individual (hobbyist) contributors have somehow obstacles from contributing just because some big companies are implementing changes matching their needs.
No facts or arguments why it would be more difficult for the hobbyist just statement "makes it more costly for others to contribute".
No facts why inability to create such list is unconvincing. It is just "unconvincing".
It's easy to discuss like that - object to anything, even to actual arguments, but without providing anything backing up one's statement.@krzk @icing @joshbressers @wdormann @Viss @gregkh I apologize for having expressed an opinion as a long term user and contribute to free software. I could, of course, try to explain a bit better why I have the impression that the free software world is a bit too much under the influence of certain tech companies and not as accessible to new contributors anymore, but your reaction tells me that there is probably not much point in having this discussion. (revised)
-
@gregkh @icing @joshbressers @wdormann @Viss I would imagine that the Linux foundation could assemble some experts that together agree on some objective criteria and a process and based on this organizations / projects are accepted to the list. Seeing such self-organization working in many other areas, I would expect that this is possible. But maybe there are reasons why I am wrong.
-
@krzk @icing @joshbressers @wdormann @Viss @gregkh I apologize for having expressed an opinion as a long term user and contribute to free software. I could, of course, try to explain a bit better why I have the impression that the free software world is a bit too much under the influence of certain tech companies and not as accessible to new contributors anymore, but your reaction tells me that there is probably not much point in having this discussion. (revised)
@uecker It's easy to make statements, when you do not want to back them with any sort of argument. Just make a statement and put final stop. Product Foo is insecure. Some car manufactured by Baz is not reliable. This argument is unconvincing. I can express that as well... -
I think I should be the only one on that list. I‘ll then notify the right people who can demonstrate their worthiness.
Wait! That‘s already anthropic‘s business idea. Damn.
-
@zmanion @joshbressers @wdormann @Viss Why is linux-distros somehow "special" enough to get these types of announcements and not everyone else? How exactly would you explain that to your favorite government entity?
@gregkh @joshbressers @wdormann @Viss Because it exists and works better than the alternatives: telling nobody (and waiting to see who notices and when) or telling everybody all at once. If you have regulatory requirements to do or not do something, by all means, follow the regs. I'm not claiming any regs implement sound public CVD policy. Also when there is an external finder, the finder could choose to notify distros or follow other coordination paths, in addition to notifying kernel.org.
(I also understand that it's not quite as simple as just dropping a message on the distros list, and I read a Qualys message explaining that they no longer use distros.)
-
@uecker It's easy to make statements, when you do not want to back them with any sort of argument. Just make a statement and put final stop. Product Foo is insecure. Some car manufactured by Baz is not reliable. This argument is unconvincing. I can express that as well...
@krzk I think this is an unfair accusation. I was pointing out that the argument "it is unclear who to put on the list" by itself is a weak argument. I did not think that this needs further explanation as this seems obvious. Maybe there are good reason why it is difficult to maintain such a list, but the thread I commented on did not include those. In any case, I think it is not help to directly accuse people of "FUD" or misinformation in an evolving discussion.
-
