The CopyFail announcement and handling is one of the least defender-supporting I think I've ever seen.
-
The CopyFail announcement and handling is one of the least defender-supporting I think I've ever seen.
Mitigations were extremely thin at launch, and haven't improved much, and are even brittle and misleading:
Royce Williams (@tychotithonus@infosec.exchange)
The CopyFail folks shouldn't have routed stderr to /dev/null in their workaround guidance. For some platforms, where it's not a module ... that mitigation is a no-op: ``` $ rmmod algif_aead rmmod: ERROR: Module algif_aead is builtin. ``` So if there's no kernel patch available yet, you can't use that workaround. Instead, use AppArmor / seccomp / SELinux to block unprivileged AF_ALG socket creation if you can (but don't just turn these hardening layers up if they''re not already in place - they can be tricky) #CopyFail #CVE_2026_31431
Infosec Exchange (infosec.exchange)
They've also largely neglected most of the value of the feedback they're getting from defenders clamoring for useful intel. The GitHub repo is full of feedback about which distros are affected or unaffected ... and a day later, none of it has been used to update the list of affected versions in the main README (except for the RHEL made-up version fix)
And this exchange is painful:
RHEL 14.3 does not exist · Issue #12 · theori-io/copy-fail-CVE-2026-31431
https://access.redhat.com/articles/red-hat-enterprise-linux-release-dates lists RHEL 10.1 as the latest release. kernel is 6.12.0-124.8.1.el10_1 Exploit seems to work (even with 6.12.0-124.52.1.el10_1)
GitHub (github.com)
"None of us are RH people so it wasn't caught"
You had weeks do basic vetting, or find someone who would help you.Theori seems to have to have intended this to be a showcase for their product. Instead, it has convinced me that I will never buy anything from them.
Edit: Will Dorman goes into more detail here, 100% agreed:
https://infosec.exchange/@wdormann/116493725294723695 -
The CopyFail announcement and handling is one of the least defender-supporting I think I've ever seen.
Mitigations were extremely thin at launch, and haven't improved much, and are even brittle and misleading:
Royce Williams (@tychotithonus@infosec.exchange)
The CopyFail folks shouldn't have routed stderr to /dev/null in their workaround guidance. For some platforms, where it's not a module ... that mitigation is a no-op: ``` $ rmmod algif_aead rmmod: ERROR: Module algif_aead is builtin. ``` So if there's no kernel patch available yet, you can't use that workaround. Instead, use AppArmor / seccomp / SELinux to block unprivileged AF_ALG socket creation if you can (but don't just turn these hardening layers up if they''re not already in place - they can be tricky) #CopyFail #CVE_2026_31431
Infosec Exchange (infosec.exchange)
They've also largely neglected most of the value of the feedback they're getting from defenders clamoring for useful intel. The GitHub repo is full of feedback about which distros are affected or unaffected ... and a day later, none of it has been used to update the list of affected versions in the main README (except for the RHEL made-up version fix)
And this exchange is painful:
RHEL 14.3 does not exist · Issue #12 · theori-io/copy-fail-CVE-2026-31431
https://access.redhat.com/articles/red-hat-enterprise-linux-release-dates lists RHEL 10.1 as the latest release. kernel is 6.12.0-124.8.1.el10_1 Exploit seems to work (even with 6.12.0-124.52.1.el10_1)
GitHub (github.com)
"None of us are RH people so it wasn't caught"
You had weeks do basic vetting, or find someone who would help you.Theori seems to have to have intended this to be a showcase for their product. Instead, it has convinced me that I will never buy anything from them.
Edit: Will Dorman goes into more detail here, 100% agreed:
https://infosec.exchange/@wdormann/116493725294723695@tychotithonus If a random shitposter dropped this then I would understand not having the resources to research and follow up on it. But a startup trying to make a name for itself? It comes across as they got lucky, spent all their time and LLM tokens on hype, and then accidentally proved they don't actually know what they're doing.
I'm all for the disclosure of it, but the theatrics are more of the same overpromise / underdeliver that we've grown so tired of in this field.
-
The CopyFail announcement and handling is one of the least defender-supporting I think I've ever seen.
Mitigations were extremely thin at launch, and haven't improved much, and are even brittle and misleading:
Royce Williams (@tychotithonus@infosec.exchange)
The CopyFail folks shouldn't have routed stderr to /dev/null in their workaround guidance. For some platforms, where it's not a module ... that mitigation is a no-op: ``` $ rmmod algif_aead rmmod: ERROR: Module algif_aead is builtin. ``` So if there's no kernel patch available yet, you can't use that workaround. Instead, use AppArmor / seccomp / SELinux to block unprivileged AF_ALG socket creation if you can (but don't just turn these hardening layers up if they''re not already in place - they can be tricky) #CopyFail #CVE_2026_31431
Infosec Exchange (infosec.exchange)
They've also largely neglected most of the value of the feedback they're getting from defenders clamoring for useful intel. The GitHub repo is full of feedback about which distros are affected or unaffected ... and a day later, none of it has been used to update the list of affected versions in the main README (except for the RHEL made-up version fix)
And this exchange is painful:
RHEL 14.3 does not exist · Issue #12 · theori-io/copy-fail-CVE-2026-31431
https://access.redhat.com/articles/red-hat-enterprise-linux-release-dates lists RHEL 10.1 as the latest release. kernel is 6.12.0-124.8.1.el10_1 Exploit seems to work (even with 6.12.0-124.52.1.el10_1)
GitHub (github.com)
"None of us are RH people so it wasn't caught"
You had weeks do basic vetting, or find someone who would help you.Theori seems to have to have intended this to be a showcase for their product. Instead, it has convinced me that I will never buy anything from them.
Edit: Will Dorman goes into more detail here, 100% agreed:
https://infosec.exchange/@wdormann/116493725294723695@tychotithonus there should be a playbook in the IR plan for “we found an exciting bug, now what?”
-
The CopyFail announcement and handling is one of the least defender-supporting I think I've ever seen.
Mitigations were extremely thin at launch, and haven't improved much, and are even brittle and misleading:
Royce Williams (@tychotithonus@infosec.exchange)
The CopyFail folks shouldn't have routed stderr to /dev/null in their workaround guidance. For some platforms, where it's not a module ... that mitigation is a no-op: ``` $ rmmod algif_aead rmmod: ERROR: Module algif_aead is builtin. ``` So if there's no kernel patch available yet, you can't use that workaround. Instead, use AppArmor / seccomp / SELinux to block unprivileged AF_ALG socket creation if you can (but don't just turn these hardening layers up if they''re not already in place - they can be tricky) #CopyFail #CVE_2026_31431
Infosec Exchange (infosec.exchange)
They've also largely neglected most of the value of the feedback they're getting from defenders clamoring for useful intel. The GitHub repo is full of feedback about which distros are affected or unaffected ... and a day later, none of it has been used to update the list of affected versions in the main README (except for the RHEL made-up version fix)
And this exchange is painful:
RHEL 14.3 does not exist · Issue #12 · theori-io/copy-fail-CVE-2026-31431
https://access.redhat.com/articles/red-hat-enterprise-linux-release-dates lists RHEL 10.1 as the latest release. kernel is 6.12.0-124.8.1.el10_1 Exploit seems to work (even with 6.12.0-124.52.1.el10_1)
GitHub (github.com)
"None of us are RH people so it wasn't caught"
You had weeks do basic vetting, or find someone who would help you.Theori seems to have to have intended this to be a showcase for their product. Instead, it has convinced me that I will never buy anything from them.
Edit: Will Dorman goes into more detail here, 100% agreed:
https://infosec.exchange/@wdormann/116493725294723695@tychotithonus Well said, all around. It seems like a loosey-goosey disclosure, with the highest emphasis on branding and generating hype.
-
The CopyFail announcement and handling is one of the least defender-supporting I think I've ever seen.
Mitigations were extremely thin at launch, and haven't improved much, and are even brittle and misleading:
Royce Williams (@tychotithonus@infosec.exchange)
The CopyFail folks shouldn't have routed stderr to /dev/null in their workaround guidance. For some platforms, where it's not a module ... that mitigation is a no-op: ``` $ rmmod algif_aead rmmod: ERROR: Module algif_aead is builtin. ``` So if there's no kernel patch available yet, you can't use that workaround. Instead, use AppArmor / seccomp / SELinux to block unprivileged AF_ALG socket creation if you can (but don't just turn these hardening layers up if they''re not already in place - they can be tricky) #CopyFail #CVE_2026_31431
Infosec Exchange (infosec.exchange)
They've also largely neglected most of the value of the feedback they're getting from defenders clamoring for useful intel. The GitHub repo is full of feedback about which distros are affected or unaffected ... and a day later, none of it has been used to update the list of affected versions in the main README (except for the RHEL made-up version fix)
And this exchange is painful:
RHEL 14.3 does not exist · Issue #12 · theori-io/copy-fail-CVE-2026-31431
https://access.redhat.com/articles/red-hat-enterprise-linux-release-dates lists RHEL 10.1 as the latest release. kernel is 6.12.0-124.8.1.el10_1 Exploit seems to work (even with 6.12.0-124.52.1.el10_1)
GitHub (github.com)
"None of us are RH people so it wasn't caught"
You had weeks do basic vetting, or find someone who would help you.Theori seems to have to have intended this to be a showcase for their product. Instead, it has convinced me that I will never buy anything from them.
Edit: Will Dorman goes into more detail here, 100% agreed:
https://infosec.exchange/@wdormann/116493725294723695@tychotithonus agree, I mean this thing is everywhere. For example i think checkpoint firewalls are even RHEL…
Alot of scenarios of exploatation is unlikely but I think we will see attack chains coming weeks where this plays a crucial role in successful compromise.
-
@tychotithonus there should be a playbook in the IR plan for “we found an exciting bug, now what?”
- Find vuln
- Buy .fail domain
- Bask in admiration and VC $
Theori you need to figure out if you’re selling skateboards or doing real infosec.
-
- Find vuln
- Buy .fail domain
- Bask in admiration and VC $
Theori you need to figure out if you’re selling skateboards or doing real infosec.
@badsamurai @h2onolan @tychotithonus he may have brought drone doctrine to infosec but can he repeat to make it a pseudo biz model #rev3 #.fail #greg #italy #one trick pony
-
R relay@relay.infosec.exchange shared this topic
