Ah, the #copyfail clickbait posts are coming.

Reply to Ah, the #copyfail clickbait posts are coming. on Sat, 02 May 2026 12:07:54 GMT

jwildeboer@social.wildeboer.net — Sat, 02 May 2026 12:07:54 GMT

@leah It should still work, as initcall_blacklist on init functions works regardless of it being a module or compiled in. I don't have a machine with it built as a module at hand, nor do I have the time to spin one up and check. If somebody else could help here and share the result, much appreciated.

Reply to Ah, the #copyfail clickbait posts are coming. on Sat, 02 May 2026 11:14:42 GMT

leah@blahaj.social — Sat, 02 May 2026 11:14:42 GMT

@jwildeboer I think this only works when the module is builtin (as on RHEL, but not many others).

Reply to Ah, the #copyfail clickbait posts are coming. on Sat, 02 May 2026 11:07:51 GMT

sorro@woof.tech — Sat, 02 May 2026 11:07:51 GMT

@caravantraveller @jwildeboer ooh, i didnt really understand much about the exploit so i thought it was a remote exploit. that's a relief for me even for my linux laptop

thanks for telling me!

Reply to Ah, the #copyfail clickbait posts are coming. on Sat, 02 May 2026 10:29:17 GMT

jwildeboer@social.wildeboer.net — Sat, 02 May 2026 10:29:17 GMT

@sstendahl Yes, that's in the second post of my thread, with links https://social.wildeboer.net/@jwildeboer/116503831839617808

Reply to Ah, the #copyfail clickbait posts are coming. on Sat, 02 May 2026 10:27:50 GMT

sstendahl@floss.social — Sat, 02 May 2026 10:27:50 GMT

@jwildeboer thanks for the post. To add, also keep on eye on which distro have patched the mitigation, Fedora patched it a week ago or so iirc, Fedora 44 doesn’t have the exploit at all. Neither does anything about running the 7.x kernel.

Reply to Ah, the #copyfail clickbait posts are coming. on Sat, 02 May 2026 10:26:31 GMT

psyhackological@fosstodon.org — Sat, 02 May 2026 10:26:31 GMT

@jwildeboer we're on Ubuntu. Yiakes then... So it needs to be checked otherwise.

Reply to Ah, the #copyfail clickbait posts are coming. on Sat, 02 May 2026 10:21:03 GMT

hokid@mastodon.social — Sat, 02 May 2026 10:21:03 GMT

@jwildeboer @Sorro It's a bit hard to say because of the many, many flavors of Android in the wild, but it is very likely not affected for various reasons: by default, SELinux is configured to not allow alg_socket for sandboxed apps (see https://android.googlesource.com/platform/system/sepolicy/+/refs/tags/android-16.0.0_r4/private/app_neverallows.te#141), there are usually no suid binaries on Android, and algif_aead is usually not provided in the first place. Of course, a very old Android version might be affected, but in that case, you're open to various other exploits anyway...

Reply to Ah, the #copyfail clickbait posts are coming. on Sat, 02 May 2026 10:19:00 GMT

jwildeboer@social.wildeboer.net — Sat, 02 May 2026 10:19:00 GMT

@psyhackological Depends on your distribution. Some have it as module, some have it directly compiled into the kernel.

Reply to Ah, the #copyfail clickbait posts are coming. on Sat, 02 May 2026 10:13:38 GMT

psyhackological@fosstodon.org — Sat, 02 May 2026 10:13:38 GMT

@jwildeboer from what I read isn't this about removing kernel module? I think this keeps the system running without a reboot

echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
rmmod algif_aead

Don't know what will happen when it reboots though so I would stick to your plan.

Reply to Ah, the #copyfail clickbait posts are coming. on Sat, 02 May 2026 09:57:57 GMT

jwildeboer@social.wildeboer.net — Sat, 02 May 2026 09:57:57 GMT

@psyhackological They'll have to do a risk calculation. It is a local user exploit, so in most cases when you freeze the current software deployment, you should be safe until the kernel patches have arrived. In general, though, your contingency plans should ALWAYS make reboots possible.

Reply to Ah, the #copyfail clickbait posts are coming. on Sat, 02 May 2026 09:57:50 GMT

larvitz@burningboard.net — Sat, 02 May 2026 09:57:50 GMT

@jwildeboer @flxtr Deleted it. Sorry, could not help myself and thought "Galgenhumor" could help make this serious topic a bit more relaxed.

Reply to Ah, the #copyfail clickbait posts are coming. on Sat, 02 May 2026 09:43:52 GMT

caravantraveller@social.cologne — Sat, 02 May 2026 09:43:52 GMT

@Sorro @jwildeboer

Are there any users on your Android phone who might take advantage of #copyfail ?

For single-user systems there is no problem, because it's not a remote exploit.

Reply to Ah, the #copyfail clickbait posts are coming. on Sat, 02 May 2026 09:41:55 GMT

moses_izumi@fe.disroot.org — Sat, 02 May 2026 09:41:55 GMT

@jwildeboer
There's a special place in hell for security researchers who obfuscate their proof-of-concept exploit code.

Reply to Ah, the #copyfail clickbait posts are coming. on Sat, 02 May 2026 09:35:54 GMT

ikket@mementomori.social — Sat, 02 May 2026 09:35:54 GMT

@echopapa @larsmb @jwildeboer alma (yay the new centos model ) https://almalinux.org/blog/2026-05-01-cve-2026-31431-copy-fail/

Reply to Ah, the #copyfail clickbait posts are coming. on Sat, 02 May 2026 09:34:03 GMT

psyhackological@fosstodon.org — Sat, 02 May 2026 09:34:03 GMT

@jwildeboer what about those who cannot be downtimed to reboot?

Reply to Ah, the #copyfail clickbait posts are coming. on Sat, 02 May 2026 09:30:36 GMT

jwildeboer@social.wildeboer.net — Sat, 02 May 2026 09:30:36 GMT

@Sorro I don't know. Depends if `algif_aead` is compiled into the kernel or loaded as module, if it is present at all in Android kernels. If somebody has checked, please do reply.

Reply to Ah, the #copyfail clickbait posts are coming. on Sat, 02 May 2026 09:29:44 GMT

flxtr@social.tchncs.de — Sat, 02 May 2026 09:29:44 GMT

@jwildeboer I'm sorry. You're right. Should have posted the cheap joke in my own feed.
@Larvitz

Reply to Ah, the #copyfail clickbait posts are coming. on Sat, 02 May 2026 09:27:01 GMT

jwildeboer@social.wildeboer.net — Sat, 02 May 2026 09:27:01 GMT

@flxtr @Larvitz I really try hard to make this thread helpful and pragmatic, but boys gotta be boys I guess

Reply to Ah, the #copyfail clickbait posts are coming. on Sat, 02 May 2026 09:19:41 GMT

sorro@woof.tech — Sat, 02 May 2026 09:19:41 GMT

@jwildeboer since android runs with the linux kernel, is android also affected?

Reply to Ah, the #copyfail clickbait posts are coming. on Sat, 02 May 2026 09:15:07 GMT

flxtr@social.tchncs.de — Sat, 02 May 2026 09:15:07 GMT

@Larvitz Edit: removed unhelpful cheap joke. I'm sorry. Will try harder to resist next time.
@jwildeboer

Reply to Ah, the #copyfail clickbait posts are coming. on Sat, 02 May 2026 08:40:19 GMT

tris@chaos.social — Sat, 02 May 2026 08:40:19 GMT

@jwildeboer Nice! Btw wiki page is up: https://en.wikipedia.org/wiki/Copy_Fail

Reply to Ah, the #copyfail clickbait posts are coming. on Sat, 02 May 2026 08:35:28 GMT

jwildeboer@social.wildeboer.net — Sat, 02 May 2026 08:35:28 GMT

ADDENDUM: Now also a blog post at https://jan.wildeboer.net/2026/05/PSA-CopyFail-CVE-2026-31431/

Reply to Ah, the #copyfail clickbait posts are coming. on Sat, 02 May 2026 08:25:13 GMT

jwp@cloudisland.nz — Sat, 02 May 2026 08:25:13 GMT

@jwildeboer
Tbf whilst It's not great, its AT LEAST not remotely exploitable. Problematic if your workload runs untrusted stuff from external sources directly, absolutely. But likewise not quite as sky is falling as some have seemed to make it out to be.