<![CDATA[Holy. Fucking. Fuckballs.]]>Holy. Fucking. Fuckballs.

This exploit is... insane.

> An unprivileged local user can write 4 controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root

Link Preview Image
Copy Fail — 732 Bytes to Root

Copy Fail (CVE-2026-31431): a 732-byte Linux LPE — straight-line, no race, no per-distro offsets. Same Python script roots Ubuntu, Amazon Linux, RHEL, SUSE since 2017. Page-cache write bypasses on-disk file-integrity tools and crosses container boundaries. Found by Xint Code.

favicon

Xint (copy.fail)

]]>https://board.circlewithadot.net/topic/62ded7b7-80de-4f06-a05f-1a905cd43949/holy.-fucking.-fuckballs.RSS for NodeThu, 30 Apr 2026 15:30:51 GMTWed, 29 Apr 2026 19:26:45 GMT60<![CDATA[Reply to Holy. Fucking. Fuckballs. on Thu, 30 Apr 2026 01:20:58 GMT]]>@drwho@masto.hackers.town @thibaultmol@en.osm.town @darkrat@chaosfurs.social
It is minified but really not difficult to pull apart.
It opens /usr/bin/su, then repeatedly calls c(f, i, e[i:i+4]) to write the embedded payload into the cached image of /usr/bin/su in 4-byte chunks.

The write-up describes this. The sendmsg() data carries the 4 controlled bytes, splice() supplies the page-cache-backed file pages, and recv() triggers the authencesn path that writes those bytes into the cached file page.
After patching the cached copy, it just runs su. That's it.

s.socket(38,5,0) are the numeric constants for AF_ALG and SOCK_SEQPACKET, it's equivalent to socket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET, 0).

The zlib blob decompresses to a 160-byte ELF executable, it basically only contains: 

setuid(0)
execve("/bin/sh", NULL, NULL)
exit(0)
to pop a root shell.

The CVE is real; I got it to work just fine on my Proxmox host (Linux 6.17.13-2)

]]>https://board.circlewithadot.net/post/https://plasmatrap.com/notes/alod3jfzd0https://board.circlewithadot.net/post/https://plasmatrap.com/notes/alod3jfzd0Thu, 30 Apr 2026 01:20:58 GMT<![CDATA[Reply to Holy. Fucking. Fuckballs. on Thu, 30 Apr 2026 01:08:24 GMT]]>@thibaultmol @darkrat It's needlessly obfuscated. And the "curl pipe bash" construction is just bullshit.

That said, a few of us tested it and it didn't work on our boxen.

]]>https://board.circlewithadot.net/post/https://masto.hackers.town/users/drwho/statuses/116490980854852172https://board.circlewithadot.net/post/https://masto.hackers.town/users/drwho/statuses/116490980854852172Thu, 30 Apr 2026 01:08:24 GMT<![CDATA[Reply to Holy. Fucking. Fuckballs. on Wed, 29 Apr 2026 19:53:38 GMT]]>@darkrat It's weird how the code they want you to curl and run is minified and has a binary section in it.... just weird....

edit: tbc, my friend said this, I hadn't checked it yet.
He said that this is not normally how proof of concepts are written

I really hope someone on fedi who knows this stuff can verify this cause I'm not boosting it without seeing that

]]>https://board.circlewithadot.net/post/https://en.osm.town/users/thibaultmol/statuses/116489743148436860https://board.circlewithadot.net/post/https://en.osm.town/users/thibaultmol/statuses/116489743148436860Wed, 29 Apr 2026 19:53:38 GMT