#cve_2026_31431 — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #cve_2026_31431, aggregated by home.social.
-
How Dirty Frag rose from the Copy Fail exploit
#CVE_2026_31431
https://www.reversinglabs.com/blog/dirtyfrag-linux-privilege-escalation-exploit -
Eric Biggers has submitted a Linux patch to start the deprecation of the AF_ALG API at the heart of #CopyFail as well as several other CVEs:
-
New info and links on https://sketchesfromahomelab.com/articles/2026/05/03/CVE-2026-31431_Copy_Fail_Resources/
- A patched kernel for RHEL systems is now available!
- Added links to the original 2017 commit introducing the #CopyFail bug and to the patch fixing it. Also included a list of the Linux kernel versions containing the patch. Hopefully this will help those that compile their own kernels!
- Added a link to GrapheneOS's analysis that Android is NOT vulnerable to Copy Fail due to its extensive use of SELinux and its prohibition on setuid/setgid binaries. I know a lot of people were concerned about Android devices, especially older ones, so this is welcome news.People needing more information about the patched RHEL kernel can go to:
-
Updated links on https://sketchesfromahomelab.com/articles/2026/05/03/CVE-2026-31431_Copy_Fail_Resources/
to include new information:
- a new exploit implementation in Perl by @ilv
- link to a report that CISA has added the exploit to its KEV Catalog
- secwest.net's mitigation guide,
- information about vulnerability status in AlmaLinux, Arch, and SUSE (they all have fixed kernels available). -
CVE-2026-31431 Copy Fail Resources - list of links to Copy Fail analysis, mitigation, and fixes
https://sketchesfromahomelab.com/articles/2026/05/03/CVE-2026-31431_Copy_Fail_Resources/
-
Full disclosure: I’m a developer on the #kernelCare team, and we already have live patches for #copyfail. No reboot required. Feel free to ask questions.
https://blog.cloudlinux.com/cve-2026-31431-copy-fail-kernel-update
-
Oh, yeah, "contains a number of important fixes". It basically contains a patch against THE GINORMOUS VULNERABILITY. Update now!
#Fedora #Linux #kernel #CopyFail #CVE202631431 #CVE_2026_31431
-
CISA KEV is claiming Copy Fail is under active exploitation but provides zero evidence of how/where. Anyone seeing anything else in public reporting to corroborate these claims?
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
-
It is a labor day today but for some of us it’s a patch day #CVE_2026_31431
-
Just polled my software team: without googling or asking, have you heard of #copyfail ? if so, do you know what it is sufficiently to explain it to a colleague?
Not a single hand. We make embedded #linux devices. ( yes, ours are affected.)
Call me old fashioned, but when I was a #developer I _kept tabs on shit_. First coffee every morning was pouring over #slashdot and #thedailywtf and a dozen tech specific #blogs and #newsgroups and #channels. Whats new, or blowing up?
-
To mitigate the #CopyFail #CVE_2026_31431 risk on machines running Red Hat Enterprise Linux 8,9 or 10 (7 and below are not affected) until the kernel updates are available, you can issue
# grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"
as root, which will block calls to the compromised function. You then need to reboot the machine for the change to become active.
-
Fresh gist: mitigating CVE-2026-31431 ("Copy Fail") on RHEL 8/9/10 with a tiny Ansible playbook.
It blacklists algif_aead via a kernel boot arg (initcall_blacklist=algif_aead_init), reboots only when needed, and asserts the mitigation actually stuck after reboot. Idempotent & safe to re-run.
https://codeberg.org/Larvitz/gists/src/branch/main/2026/20260501-CVE-2026-31431_RHEL_Mitigation.md
#Ansible #RHEL #Linux #InfoSec #SysAdmin #DevOps #CVE #CVE_2026_31431 #copyfail
-
Patrzę co bym musiał spaczować...
A tu wszystko spaczowane... życie z rolling release. -
Checking the #CopyFail #CVE_2026_31431 status on #AlpineLinux, again nothing heard officially from @alpinelinux but I did see this:
https://github.com/theori-io/copy-fail-CVE-2026-31431/issues/4#issuecomment-4354558846
Maybe the issue has been quietly dealt with or was never an issue to begin with? It'd be nice to know for certain.
-
Checking the #CopyFail #CVE_2026_31431 status on #AlpineLinux, again nothing heard officially from @alpinelinux but I did see this:
https://github.com/theori-io/copy-fail-CVE-2026-31431/issues/4#issuecomment-4354558846
Maybe the issue has been quietly dealt with or was never an issue to begin with? It'd be nice to know for certain.
-
Checking the #CopyFail #CVE_2026_31431 status on #AlpineLinux, again nothing heard officially from @alpinelinux but I did see this:
https://github.com/theori-io/copy-fail-CVE-2026-31431/issues/4#issuecomment-4354558846
Maybe the issue has been quietly dealt with or was never an issue to begin with? It'd be nice to know for certain.
-
Checking the #CopyFail #CVE_2026_31431 status on #AlpineLinux, again nothing heard officially from @alpinelinux but I did see this:
https://github.com/theori-io/copy-fail-CVE-2026-31431/issues/4#issuecomment-4354558846
Maybe the issue has been quietly dealt with or was never an issue to begin with? It'd be nice to know for certain.
-
Checking the #CopyFail #CVE_2026_31431 status on #AlpineLinux, again nothing heard officially from @alpinelinux but I did see this:
https://github.com/theori-io/copy-fail-CVE-2026-31431/issues/4#issuecomment-4354558846
Maybe the issue has been quietly dealt with or was never an issue to begin with? It'd be nice to know for certain.
-
It's crazy that the researchers who discovered Copy Fail only worked with the Linux Kernel Organization to patch it in the mainline kernel but didn't work with any of the major distros to make sure a patch was available before disclosing the exploit. Unless you're running a rolling distro, a dev version or a distro with short release windows, it's effectively an unpatched zeroday.
The ones most vulnerable to this are the type of systems that run on long term release kernels, not rolling releases or short release distros like Fedora.
This whole saga is a big clusterfuck for the Linux community to scramble to patch this major flaw.
#Linux #CopyFail #CVE_2026_31431 #infosec #cybersecRE: https://infosec.exchange/@BleepingComputer/116493995434262191
-
#CopyFail #cve_2026_31431 I wrote about denying containers access to AF_ALG sockets with SELinux
https://blog.feistel.party/2026/04/30/deny-alg-socket-to-containers-with-selinux-to-mitigate-cve-2026-31431.html -
Also, doesn't the OS prioritize not flushing some files from the page cache, such as the "hottest" files? Could this be leveraged by the attacker to maximize persistence? Or even take steps to ensure the file is always in cache, like regularly reading it or something?
-
RE: https://mastodon.social/@Viss/116490543256385246
From my reading, this is my understanding as well. You don't have to have root, and you can modify anything in the page cache. Like ... sshd, or libpam, or anything called by a cron job that's running as root.
How can we definitively confirm this?
-
Copy Fail: 732 Bytes to Root on Every Major Linux Distribution.
#CVE_2026_31431
https://xint.io/blog/copy-fail-linux-distributions -
The CopyFail announcement and handling is one of the least defender-supporting I think I've ever seen.
Mitigations were extremely thin at launch, and haven't improved much, and are even brittle and misleading:
https://infosec.exchange/@tychotithonus/116490466168316767
They've also largely neglected most of the value of the feedback they're getting from defenders clamoring for useful intel. The GitHub repo is full of feedback about which distros are affected or unaffected ... and a day later, none of it has been used to update the list of affected versions in the main README (except for the RHEL made-up version fix)
And this exchange is painful:
https://github.com/theori-io/copy-fail-CVE-2026-31431/issues/12
"None of us are RH people so it wasn't caught" 😐 You had weeks do basic vetting, or find someone who would help you.
Theori seems to have to have intended this to be a showcase for their product. Instead, it has convinced me that I will never buy anything from them.
Edit: Will Dorman goes into more detail here, 100% agreed:
https://infosec.exchange/@wdormann/116493725294723695 -
CW: #CVE_2026_31431 / #copyfail possible mitigation
@[email protected] It is my understanding that this will not work. There is a published exploit (https://github.com/rootsecdev/cve_2026_31431/blob/main/exploit_cve_2026_31431.py) that messes with the page cache for /etc/passwd to simply show your user id as 0, so a normal call to
suwill make you root. -
Si sois sysadmins de Linux mejor no hagáis planes para el puente... https://copy.fail/
-
Good explanation [1] including "For immediate mitigation" (consistent with most other descriptions on how to immediately prevent the exploit while waiting for your distribution to fix it properly).
Debian security tracker [2].
#cve_2026_31431 #CVE_2026_31431
[1] https://xint.io/blog/copy-fail-linux-distributions
[2] https://security-tracker.debian.org/tracker/CVE-2026-31431
-
[VULN] ⚠️"Copy Fail - Une IA trouve la faille Linux que personne n'a vue"
" * Copy Fail (CVE-2026-31431) est une faille Linux qui permet de passer de simple utilisateur à root en 732 octets, affectant la quasi-totalité des kernels non patchés depuis 2017, découverte par une IA en une heure.- La faille exploite une optimisation de 2017 dans le sous-système crypto qui laisse un fichier en lecture seule accessible en zone modifiable, permettant de modifier progressivement un binaire système via l'appel splice().
- Deux solutions de protection existent : patcher le kernel via la distro ou désactiver le module algif_aead (ou bloquer le sous-système crypto via seccomp si le module est intégré en dur)."👇 https://korben.info/copy-fail-faille-kernel-linux-decouverte-ia.html
Demo / exploit ( via @bortzmeyer )
👇
https://www.bortzmeyer.org/copyfail.html🔍
⬇️
https://vulnerability.circl.lu/vuln/CVE-2026-31431
