CIRCLE WITH A DOT

@ubuntu Can you share when the updated packages to mitigate #CVE202631431 are likely to drop? #copyfail #ubuntu #security

Many of your systems will not have the algif_aead and af_alg kernel modules loaded prior exploiting the #copyfail vulnerability. So checking your kernel logs for "NET: Registered PF_ALG protocol family" is a good #threathunting for today. #cve_2026_31431 #siem

I couldn't find a list of #Linux #kernel versions that include a patch for #copyfail, so I dug into the commit log and made one. Make sure you're using at least the following version of your branch to mitigate against copyfail:- 7.0-rc7 (any stable 7.x is safe)- 6.19.12- 6.18.22- 6.12.85- 6.6.137- 6.1.170- 5.15.204- 5.10.254See https://copy.fail for more info about the #exploit.#privilegeescalation #vulnerability #cryptography #linuxadmin #sysadmin

Can someone explain to me why #copyfail was still unpatched on so many distros this morning when the blog post claims it was reported over a month ago to the kernel security team?#cve_2026_31431

FYI: Wenn ihr das AEAD Kernel Modul als Mitigation für #CopyFail nicht entladen/blacklisten könnt weil es builtin ist (bspw RHEL/CentOS), könnt ihr das trotzdem per Kernel Cmdline disabeln:"initcall_blacklist=algif_aead_init"

@whitequark awesome! Gimme some time, I'll prepare everything. How can I reach you to hand over access credentials?

Pour information, voici les 2 tasks Ansible que l'on applique pour contourner #copyfail :https://paste.evolix.org/?e33be19335e04f0e#BDZbmCJNzevojN2fkreTUWtdPtckq8qkMzkJSgjfavJd

Me: Nothing bad ever happened on Wednesdays. I should be able to relax.CopyFail:#copyfail #cve202631431

Reliably detecting Copyfail https://www.threatbear.co/blog/detecting-copyfail-using-ebpf/ #CVE-2026-31431 #copyfail #detectionengineering

@astraleureka extremely helpful

@Lioh OK, so what’s your preferred vulnerability disclosure policy?Just linking the document is fine.

I’m a bit surprised they did not wait till a patch was available for the major distros. Smells like an IPO or the next round of funding is coming soon.You probably want to keep a close eye on any system you maintain where unprivileged users have shell access and update as soon as possible.https://copy.failhttps://security-tracker.debian.org/tracker/CVE-2026-31431https://ubuntu.com/security/CVE-2026-31431https://www.suse.com/security/cve/CVE-2026-31431.html#copyfail

@drwho@masto.hackers.town @thibaultmol@en.osm.town @darkrat@chaosfurs.social It is minified but really not difficult to pull apart. It opens /usr/bin/su, then repeatedly calls c(f, i, e[i:i+4]) to write the embedded payload into the cached image of /usr/bin/su in 4-byte chunks. The write-up describes this. The sendmsg() data carries the 4 controlled bytes, splice() supplies the page-cache-backed file pages, and recv() triggers the authencesn path that writes those bytes into the cached file page.After patching the cached copy, it just runs su. That's it.s.socket(38,5,0) are the numeric constants for AF_ALG and SOCK_SEQPACKET, it's equivalent to socket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET, 0).The zlib blob decompresses to a 160-byte ELF executable, it basically only contains: setuid(0) execve("/bin/sh", NULL, NULL) exit(0)to pop a root shell.The CVE is real; I got it to work just fine on my Proxmox host (Linux 6.17.13-2)

What is going on today??We're also tracking #CopyFail.https://discourse.ifin.network/t/copy-fail-732-bytes-to-root-on-every-major-linux-distributions/342#ThreatIntel #ThreatIntelligence #IFIN

Copy Fail – CVE-2026-31431https://copy.fail/#HackerNews #CopyFail #CVE2026 #Security #Vulnerability #HackerNews #TechNews