#copyfail

@jwildeboer@social.wildeboer.net · May 08, 2026

#LPE — Local Privilege Escalation. A class of vulnerabilities that need a local user account on the target machine to reach higher levels of privilege, up to superuser/root #RCE — Remote Code Execution. A class of vulnerabilities that can be exploited over unprivileged network connections, giving the attacker privileged access to the target machine. #CopyFail, #DirtyFrag are LPEs that affect Linux systems. LPEs are typically harder to exploit than RCEs. Hope this helps to avoid Clickbait.

60

13

68

0

Fox Ritch

🇩🇪

@fox@social.hostnetwork.xyz · May 07, 2026

Yk all these recent exploits are a sad thing for itanium users cause now the latest Linux itsnium kernel has 2 huge vulnerabilities and I wish I could do something but well I don't actually own any itanium hardware wich is embarrassing. #Linux #itanium #copyfail #dirtyfrag

2

1

5

0

ARGVMI~1.PIF

@argv_minus_one@mastodon.sdf.org · May 07, 2026

Oh good, another high-severity #Linux #security vulnerability that somebody botched the disclosure of, turning it into a high-severity zero-day. Because #CopyFail wasn't bad enough. Now we've got #DirtyFrag too. Can #cybersecurity people please stop botching vulnerability disclosure? Thanks. https://github.com/V4bel/dirtyfrag/blob/master/README.md #security

14

7

25

0

Ilkka Tengvall

@ikkeT@mementomori.social · May 06, 2026

#OpenShift hosters 🔊 Red Hat has released blocker for copy-fail vulnerability, no reboots needed: https://access.redhat.com/solutions/7142136 #RedHat #CopyFail #CVE202631431

4

0

2

0

Bill

@Sempf@infosec.exchange · May 05, 2026

#copyfail

25

1

13

0

Daniel Marsh

@danielmarsh@social.thepixelspulse.com · May 05, 2026

CVE-2026-31431, dubbed "Copy Fail," is a high-severity Linux kernel flaw (CVSS 7.8) actively exploited in the wild. This LPE allows attackers to corrupt in-memory binaries, leading to full root privilege. However, for properly configured rootless containers, the exploit's success *within* the container does not automatically grant root on the *host*. Learn the critical distinction. https://www.tpp.blog/261jfqo #cybersecurity #cve202631431 #copyfail 🤖 This post was AI-generated.

0

1

0

Ilkka Tengvall

@ikkeT@mementomori.social · May 05, 2026

Red Hat product updates to copy fail available https://access.redhat.com/security/cve/cve-2026-31431 #cve202631431 #CopyFail

2

0

3

0

Jan Wildeboer 😷

@jwildeboer@social.wildeboer.net · May 02, 2026

Ah, the #copyfail clickbait posts are coming. Here’s my contribution. On your Linux machine add

initcall_blacklist=algif_aead_init

to your kernel boot commandline (typically in grub). Reboot. You are now safe until the updated kernel packages become available. For distributions with the grubby command this is done as root with

grubby –update-kernel=ALL –args=”initcall_blacklist=algif_aead_init”

This mitigation comes courtesy of Red Hat. Our engineers keep you safe :)

277

69

280

0

Jesus Michał "Le Sigh" 🏔 (he)

@mgorny@social.treehouse.systems · May 02, 2026

Greg Kroah-Hartman: "If you look there are thousands of unfixed CVEs in the older LTS kernels right now, and if distros or users that rely on those older branches wish to see those resolved, they need to provide working backports to us to apply, as our first attempt did not work (which is why they are unfixed in those branches.)" Really asking for a "Pray tell us", given that nobody actually bothered disclosing the problem to downstreams and that the commit message was hiding it. Either way, apparently the great LLM-backed patch backporting process that #NVidia is so proud of doesn't really work. Upstream doesn't really care about #LTS branches, and they should be considered insecure by default. https://lore.kernel.org/stable/2026050114-supernova-angler-2de1@gregkh/ #Gentoo #Linux #CopyFail #security

28

33

37

3

In reply to

Gilles Gagniard

@gilles@toot.gagniard.org · May 01, 2026

@almalinux@fosstodon.org Test kernel installed on my servers and reboot done. No issue to report ! Thank you so much for your reactivity. #copyfail #almaLinux

6

0

1

0

Max Lee

@the_moep@mastodon.de · May 01, 2026

They: "On a scale from 1 to 10: How lazy are you?" Me: Using the copy fail exploit instead of sudo to avoid having to type my password #copyfail #linux #cybersecurity

324

8

185

0

Anthropy

@anthropy@mastodon.derg.nz · May 01, 2026

Did you patch your servers against CopyFail yet? #CopyFail #CyberSecurity #Security #Linux

Of course!

62.5% (20)

I like to live dangerously.

25.0% (8)

Please send help

12.5% (4)

32 votes Poll closed

View on mastodon.derg.nz

1

3

4

0

JennyFluff

💾

@JennyFluff@chitter.xyz · Apr 30, 2026

Note that if you the #copyfail exploit on your session, any terminal in it will be able to su without authentication (until next reboot I assume). hotpatch: https://lilting.ch/en/articles/linux-copy-fail-page-cache-root

1

2

1

0

In reply to

Athanasius

@AthanSpod@social.linux.pizza · Apr 30, 2026

@JennyFluff@chitter.xyz You can `echo 1 > /proc/sys/vm/drop_caches` to drop the caches, after you've done something like: $ cd /etc/modprobe.d $ cat > af_alg.conf blacklist af_alg blacklist algif_aead $ which blacklists the modules. Now, if you have legitimate use of af_alg, you can decide to only `blacklist algif_aead`, which worked to block the exploit on my Debian 13/trixie desktop running a locally-compiled 6.18.25 kernel. Dropping the caches clears what the exploit did (changing the contents of the cached version of `/usr/bin/su`, so that cached version is always used, not the on-disk version). #copyfail

5

1

2

0

Larvitz

@Larvitz@burningboard.net · May 01, 2026

Fresh gist: mitigating CVE-2026-31431 ("Copy Fail") on RHEL 8/9/10 with a tiny Ansible playbook. It blacklists algif_aead via a kernel boot arg (initcall_blacklist=algif_aead_init), reboots only when needed, and asserts the mitigation actually stuck after reboot. Idempotent & safe to re-run. https://codeberg.org/Larvitz/gists/src/branch/main/2026/20260501-CVE-2026-31431_RHEL_Mitigation.md #Ansible #RHEL #Linux #InfoSec #SysAdmin #DevOps #CVE #CVE_2026_31431 #copyfail

27

2

22

1

Taggart

@mttaggart@infosec.exchange · Apr 30, 2026

Got a very silly #CopyFail container escape working. Basically, if the container can see a file shared by the host, regardless of permissions, CopyFail can write to it on the host. https://discourse.ifin.network/t/copy-fail-732-bytes-to-root-on-every-major-linux-distributions/342/44

59

9

67

2

Paweł

@grono@mastodon.com.pl · May 01, 2026

Docker Engine is safe against CVE-2026-31431 now. Patch ASAP: https://github.com/moby/moby/releases/tag/docker-v29.4.2 #docker #containers #linux #copyfail

1

0

3

0

Adhidarma Hadiwinoto

@adhisimon@mastodon.kodesumber.com · May 01, 2026

Before trying to mitigate, it turns out my #fedora 43 workstation (not upgraded to 44 yet) had already updated and not vulnerable to #copyfail

1

2

0

Adhidarma Hadiwinoto

@adhisimon@mastodon.kodesumber.com · May 01, 2026

Fedora had released Fedora CoreOS 43.20260413.3.2 on "stable stream" few hours ago to patch against Copy Fail. Upgraded packages: kernel-6.19.11-200.fc43.x86_64 ⟶ 6.19.12-200.fc43.x86_64kernel-core-6.19.11-200.fc43.x86_64 ⟶ 6.19.12-200.fc43.x86_64kernel-modules-6.19.11-- 200.fc43.x86_64 ⟶ 6.19.12-200.fc43.x86_64kernel-modules-core-6.19.11-200.fc43.x86_64 ⟶ 6.19.12-200.fc43.x86_64 You can wait your zincati service schedule to upgrade automatically, or you can run sudo zincati-update-now to upgrade immediately. #copyfail #fedora #fcos #coreos

1

0

Veronica Olsen

@veronica@mastodon.online · Apr 30, 2026

Copy Fail (CVE-2026-31431) has just been patched on Debian 13, with kernel version 6.12.85-1 from trixie (security). https://security-tracker.debian.org/tracker/CVE-2026-31431 #CopyFail #Debian #Linux #InfoSec #CVE

50

6

63

0

About This Hashtag

#copyfail

Did you patch your servers against CopyFail yet? #CopyFail #CyberSecurity #Security #Linux

Related