For Linux kernel vulnerabilities, there is no heads-up to distributions (openwall.com)
509 points by ori_b 18 hours ago
Recent: Copy Fail - https://news.ycombinator.com/item?id=47952181 - April 2026 (466 comments)
xeeeeeeeeeeenu 17 hours ago
For context, the author of the linked post, Sam James, is a Gentoo developer.
Anyway, this is a disaster. It was extremely irresponsible to share the exploit with the world before the distributions shipped the fix. Who knows how many shared hosting providers were hacked with this.
It's also worrying that it seems there's no communication between the kernel security team and distribution maintainers. One would hope that the former would notify the latter, but apparently it's the responsibility of whoever finds the vulnerability.
john_strinlai 14 hours ago
i have no problem with disclosing a vulnerability 30 days after its patched in the thing you reported to. (in fact, for those unaware, this is the same policy that google's project zero uses: "90+30" https://projectzero.google/vulnerability-disclosure-policy.h...)
the real problem is:
>It's also worrying that it seems there's no communication between the kernel security team and distribution maintainers.
the reporter should not be the one responsible for reporting separately to every single downstream of the thing they found a vuln in.
what should be happening, as you allude to, is a communication channel between the kernel security team and distribution maintainers. they are in a much better position to coordinate and communicate with the maintainers than random reporters are.
the minute the patch landed in the kernel, a notification should have gone out from the kernel team to a curated list of distro security folk that communicated the importance of the patch, and that the public disclosure would be in 30 days.
fresh_broccoli 11 hours ago
>the reporter should not be the one responsible for reporting separately to every single downstream of the thing they found a vuln in.
Not "separately to every single downstream", there is the "linux-distros" mailing list for disclosures: https://oss-security.openwall.org/wiki/mailing-lists/distros
This random blogpost from 2022 serves as a proof that disclosing kernel vulnerabilities to the distros list is a well-known practice: https://sam4k.com/a-dummys-guide-to-disclosing-linux-kernel-...
I agree it's a shame that the process isn't more streamlined and the kernel developers aren't forwarding the reports to the distros list.
tptacek 11 hours ago
troad 10 hours ago
steve1977 3 hours ago
> a notification should have gone out from the kernel team to a curated list of distro security folk
Who would curate that list though? You don't need permission from the kernel team to spin up a new distro. I can go and create fork of Debian or Arch or whatever today and the kernel team would never know (and neither should they).
This is completely in the responsibility of the distros. If you don't like this model, use something like FreeBSD.
mort96 3 hours ago
aragilar 2 hours ago
jamespo 2 hours ago
staticassertion 13 hours ago
> they are in a much better position to coordinate and communicate with the maintainers than random reporters are.
They openly refuse to do this and have been given authority by MITRE to work against any such process.
john_strinlai 13 hours ago
josefx 7 hours ago
Denvercoder9 13 hours ago
Two things can be true simultaneously: the Linux kernel ecosystem should have done better at communicating this to their downstreams, and publicly sharing the exploit was irresponsible.
It is not the responsibility of the initial reporter to communicate to distributions, but the fact that those responsible failed to do that, doesn't give everybody else a free pass.
da_chicken 12 hours ago
john_strinlai 13 hours ago
x4132 12 hours ago
ori_b 14 hours ago
If the maintainers were unresponsive, sure -- but it seems slightly hard to buy that a responsible reporter trying to make a big splash and a good impression wouldn't first check "did this make it out to the distros?" before making sysadmin's days real shitty, even if technically they could point fingers at other parties. At which point, if they're paying paying any attention at all to what they reported, they may have realized that a mistake was made.
john_strinlai 14 hours ago
zamalek 16 hours ago
The disclosure was more about marketing than security. From the disclosure page:
> Is your software AI-era safe?
> Copy Fail was surfaced by Xint Code about an hour of scan time against the Linux crypto/ subsystem. [...]
> [Try Xint Code]
More chaos makes their product seem even more attractive.
tptacek 13 hours ago
I worked at the industry's first commercial vulnerability lab (Secure Networks) in the mid-90s, and many of my friends at the time founded X-Force. Commercial vulnerability research has always been about marketing: marketing pays for the vulnerability research. That doesn't make it any less prosocial.
esseph 16 hours ago
Your advertising for them on HN would help them too, I bet.
jasonmp85 16 hours ago
bathtub365 9 hours ago
To be clear, the vulnerability existed in Linux, not in Xint Code. It existed whether this group disclosed it or not. Knowledge of it and exploits may have already been bought and sold among various groups with various motives including crime, terrorism, or cyberwarfare who likely made good money off it if this happened.
In that world, the vulnerability has more value to those who seek to exploit it for their own motives, regardless of the consequences. They hope that no one else stumbles on it and fixes it, preventing them from continuing to use it to do bad things.
In the world where it is disclosed, there is more value in fixing the vulnerability as the maintainer’s reputation is at risk (and potentially monetary loss or legal liability if they are shown to be negligent).
zamalek 8 hours ago
Lammy 16 hours ago
> It was extremely irresponsible
As a user and admin I disagree. Makes one appreciate what a masterful bit of lexical-engineering “Responsible” Disclosure is, kinda like “Secure” (from me, not forme) Boot — “Responsible” Disclosure is 100% about reputation-management for the various corporation/foundation middleman entities sitting between me and my computer.
Those groups don't care that my individual computer is vulnerable but about nobody being able to say “RHEL is vulnerable” or “Ubuntu is vulnerable”. The vulnerability exists for me either way, and I'd rather have the chance to know about it and minimize risk than to be surprised by the fix and hope nothing bad happened in that meantime.
Immediate public disclosure is the only choice that isn't irresponsible as far as I'm concerned.
BeetleB 15 hours ago
So if I found a vulnerability that lets hackers withdraw withdraw all the money in your account without a trail on where the money went, you'd be fine with them disclosing it to the public at the same time as the bank learns about it?
Even when there is no known use case of the attack (other than the security researcher's)?
> The vulnerability exists for me either way, and I'd rather have the chance to know about it and minimize risk
By the time you hear about it, the money could be gone because 1000 hackers heard about it from the researcher before you did.
> than to be surprised by the fix and hope nothing bad happened in that meantime.
Hope is not a good strategy here.
Lammy 15 hours ago
tomxor 14 hours ago
> Immediate public disclosure is the only choice that isn't irresponsible as far as I'm concerned.
No, it's really not.
High severity vulnerabilities are responsibly handled by quietly neutralising them with subtle patches that do not reveal the vulnerability, waiting for those patches to distribute. Then patching or removing the root cause of the vulnerability (at which point opportunists will start to notice), and finally publicly disclosing it when there are already good mitigations in place.
Example: spectre/meltdowm mitigations.
I've been asked to use this approach myself when reaching out to maintainers. Sometimes it's possible to directly fix the vulnerability as a "side effect" by making a legitimate adjacent change.
efortis 14 hours ago
With immediate disclosure the provider can decide to shut down while it is fixed. Or to notify users and make it their decision. Or to be prepared with a diversified infra and switch over to a non-vulnerable path. e.g, BSDs are not affected by CopyFail
eschaton 15 hours ago
“The choice that maximizes potential damage isn’t irresponsible, because it means I can mitigate my own systems immediately.”
That’s what you’re saying here.
tptacek 15 hours ago
akerl_ 15 hours ago
notsound 15 hours ago
Those groups care about whether millions of computers are vulnerable, likely including your computer. If "immediate public disclosure" was done in all cases every vuln would be exploited and patches would be much lower quality. Shortening the disclosure timeline might be a good idea, 90 days is starting to feel long.
Lammy 15 hours ago
pphysch 15 hours ago
The Venn diagram of mainstream distros and individual Linux users is virtually a circle.
Ubuntu/RHEL is vulnerable and so are most Linux users by extension.
tptacek 15 hours ago
Without taking a position on the disclosure mechanics: any hosting provider hacked with this was already playing to lose. It is not OK to run competing untrusted tenant workloads under a single shared kernel. Kernel LPEs are not rare. This was a particularly simple and portable one, but the underlying raw capability is a CNE commodity.
jcalvinowens 14 hours ago
> Kernel LPEs are not rare. This was a particularly simple and portable one, but the underlying raw capability is a CNE commodity.
I absolutely 100% agree with this and I'm glad to see somebody saying it. Any system that is one LPE away from being compromised is already insecure.
lifis 16 hours ago
The Linux kernel is not usable as a security boundary, so anyone who wants to do "shared hosting" and not be hacked needs to use something else, like gVisor or firecracker VMs
The only important system that uses it as a security boundary is Android and there is mitigated by the fact that APKs need user approval, plus strict SELinux and seccomp policy plus the GrapheneOS hardening, and in this case the mitigations succeeded (https://discuss.grapheneos.org/d/35110-grapheneos-is-protect...)
dawnerd 16 hours ago
A LOT of websites are tenants on WHM/CPanel hosts. Not to mention how many agencies use it for their clients Wordpress sites.
hsbauauvhabzb 3 hours ago
morpheuskafka 6 hours ago
I thought that was the entire design goal of the Unix model, didn't it originate in the times when hundreds of users logged on to a shared mainframe? There are still public Unix servers like SDF out there. SELinux is just an extra layer so that if someone gets root (ex. due to an exploit in your setuid code or cron jobs etc) it's not game over.
watermelon0 15 hours ago
I'm quite sure there are many application hosting providers which rely on container runtime such as runC (default runtime of containerd/Docker), and a shared kernel between users.
staticassertion 13 hours ago
shimman 17 hours ago
Expecting people to do the right thing is a fundamental issue here. Why would you ever expect for all of vulnerabilities to be disclosed privately? There's very little actual incentive to do this.
I'm honestly unaware of what systems could be put in place to prevent this but expecting people to always do the right thing is fantasy level thinking. I mean I bet the disclosers thought they were doing the right thing, hence why it's a bad thing to rely on.
edit: spelling/grammer.
dwedge 16 hours ago
When the exploit is an advertisement for an exploit detection company, not doing the right thing is a bad look
dgellow 16 hours ago
egonschiele 16 hours ago
Why don't all these distro maintainers add their own back doors, and mine crypto off our machines without our knowledge? Surely, there is some legal fine print they can add that would let them do that. There is very little incentive for them to maintain these systems, given how thankless and underpaid the work is.
hsbauauvhabzb 3 hours ago
baggy_trough 17 hours ago
Why wouldn't the linux security team notify the main linux distributions?
staticassertion 13 hours ago
bonzini 16 hours ago
bluepuma77 15 hours ago
shimman 13 hours ago
holowoodman 17 hours ago
I can accept (and welcome) disclosure before there are patches.
But publishing a working exploit together with the disclosure before patches are available is really really irresponsible, maybe even criminal.
And no, the proposed mitigations don't help with half of the distributions out there...
staticassertion 13 hours ago
akerl_ 16 hours ago
SoftTalker 16 hours ago
wang_li 16 hours ago
semiquaver 16 hours ago
skywhopper 17 hours ago
I think it’s reasonable to expect folks in the security community who go to the trouble of creating a website detailing security vulnerabilities in specific listed software to pre-notify the security teams of that software. The CopyFail website calls out Ubuntu and Red Hat specifically, but apparently the author of the site did not inform them of the issue?
But even if you think making unethical decisions in personal self interest is something no one should be criticized for, surely the Linux kernel team ought to have some process for notifying the top distributions of an upcoming LPE, just out of practicality.
semiquaver 16 hours ago
bossyTeacher 16 hours ago
> expecting people to always do the right thing is fantasy level thinking.
Most people in tech think like the techie in this comic strip.
ebiederm 12 hours ago
The notification happen when the fix was shipped. That people would prefer to been spoon fed only serious security issues is understandable, but not realistic.
A large percentage of kernel fixes have the potential to be similarly bad. For some the potential isn't even realized until after the fix has shipped.
Ever stable release GregKH says you must upgrade now, because there is something security relevant in there. This happens at least once a week.
As for shared hosting providers it is my sense that there is always at least one local privilege escalation available to miscreants. Making shared hosting only safe if there is a certain amount of trust.
I remember bugs that were similarly bad from my university days 30+ years ago. Has anything substantially changed?
CodesInChaos 14 hours ago
> Who knows how many shared hosting providers were hacked with this.
I'd consider a shared hoster which allows users to run their own (native) code and doesn't use VMs for tenant isolation extremely irresponsible in 2026.
saysjonathan 14 hours ago
This is probably more common than you think. VMs are expensive, both in resources and cost (if you’re using something commercial). OS-level isolation (shared kernel, cgroups, namespaces) is used pervasively
krzyk 4 hours ago
There are so many distributions that it is not possible to notify each one, unless there is some single distribution list for all.
And if you disclose to just a handful, why ignore the rest?
akerl_ 16 hours ago
Who knows how many attackers had found this vulnerability and had already been using it prior to this research finding it?
BeetleB 15 hours ago
Argument from uncertainty is not a good way to reason about this.
I could equally ask: "Who knows how many attackers learned about this vulnerability from this disclosure, and used it before the distributions fixed it?"
akerl_ 15 hours ago
Quarrelsome 16 hours ago
well now everyone does, so the irresponsible disclosure makes it significantly worse.
akerl_ 16 hours ago
bitexploder 9 hours ago
There is no such thing as irresponsible disclosure. Thanks though.
porridgeraisin 2 hours ago
Fundamentally.
The disclosure is private. Meaning neither the commit messages nor any public info can leak too much information about the bug. It's usually kept rather discrete.
It is impractical for the kernel to broadcast to all its users privately.
Meaning that either a) distro maintainers should be privy to it, but where does this end?[1] or b) we have the current situation
[1] probably the top 5 distros security teams can just be copied into the private mail. Maybe the kernel security private list can forward the emails to them as well.
Problem is, every other type of communication between distros and kernel is implicit. In commit messages, patches and release notes. So it's an exceptional case.
BTW, with LLMs there's a new issue. It is now cheap to scan the kernel commit log maybe in _next and ask it to identify what could be a patch for a private disclosure. And then immediately RE the patch and exploit it on deployed kernels.
bombcar 14 hours ago
The title on this post was changed to imply that only the Gentoo developer was left out - which I could believe.
bombcar 10 hours ago
And now it was changed back. I'm goin' insane.
Sophira 2 hours ago
IshKebab 14 hours ago
> Who knows how many shared hosting providers were hacked with this.
None? Because nobody* does hosting using Linux users as a security boundary. It's not the 90s.
* Standard HN disclaimer for people that think that some retro shell box with 10 users disproves "nobody": nobody does not literally mean exactly 0 people in this context.
PunchyHamster 13 hours ago
At least thankfully workaround is one line in a file.
bethekidyouwant 11 hours ago
“Shared hosting providers” These haven’t been a thing since VMs … basically for this reason. There’s always a local privilege exploit.
sgbeal 2 hours ago
> “Shared hosting providers” These haven’t been a thing since VMs
That is unfortunately not true. i left my last one only a few years ago and they're still going strong without me.
mschuster91 15 hours ago
> Anyway, this is a disaster. It was extremely irresponsible to share the exploit with the world before the distributions shipped the fix. Who knows how many shared hosting providers were hacked with this.
Maybe it is irresponsible how little attention we pay to software security. Maybe, software developers of all kind should spend an entire year not developing any features at all, but fix all the tech debt of 30 years instead.
Yes, that sounds revolutionary, but I do not see an alternative in an age where all you need to find kernel bugs of this scale with AI agents.
TacticalCoder 12 hours ago
> It was extremely irresponsible to share the exploit with the world before the distributions shipped the fix.
It's a total arsehole'y move to not share with open-source projects (like Debian) but for commercial vendors like Microsoft I don't give a crap.
Now let's not get carried away either: that's a privilege escalation, so it already requires access to a local account. We're not exactly in Jia Tan "I backdoor every SSH out there if your Linux distro is using systemd" territory either.
johnbarron 16 hours ago
>> Anyway, this is a disaster. It was extremely irresponsible to share the exploit with the world before the distributions shipped the fix.
Maybe a decade of corporations with revenue in the billions, paying peanuts and coffee money, for critical vulnerability disclosures made it....
deng 16 hours ago
> It was extremely irresponsible to share the exploit with the world before the distributions shipped the fix.
Yes, this was clearly a marketing stunt to promote Xint code.
I, for one, will never use Xint code and will advise everyone to never use it. To anyone working there: enjoy your 15 minutes, I hope this backfires right in your face.
psifertex 6 hours ago
I doubt it will and I hope it doesn't.
External security research happens for one of only a few reasons typically:
1) hobbyists who are learning or just like to do it for fun 2) bug bounties (good luck with those in most open source) 3) marketing for security companies 4) non-public research going to CNO/CNE
If you want to kill 3, the output of 1 will not come close to 4 and the public is NOT better off with fewer public bugs.
999900000999 16 hours ago
Counterpoint. End users have a right to mitigate this issue on their systems.
It is a really really bad look for Linux, puts a bit of water on all hype around switching from Windows.
roxolotl 16 hours ago
It does? The disclosure even says the concern for single user systems is very low. If someone has access to your single user system, remote or otherwise, you’ve already lost on the sort of device people would be switching from windows to Linux on.
m3047 13 hours ago
999900000999 16 hours ago
vhantz 16 hours ago
As opposed to all other operating systems with no CVEs ever?
weavejester 16 hours ago
Hype around switching from Windows servers?
ddtaylor 14 hours ago
What happens if someone does the exploit in WSL?
cbarnes99 15 hours ago
You clearly have no idea how often windows has unpatched privesc exploits.
johnbarron 16 hours ago
>> puts a bit of water on all hype around switching from Windows.
Said no one ever...present post excluded :-))
semiquaver 17 hours ago
> Note that for Linux kernel vulnerabilities, unless the reporter chooses to bring it to the linux-distros ML, there is no heads-up to distributions.
Why would they imply it is incumbent on the reporter to liaise with distributions? That seems to assume a high level of familiarity with the linux project. Vulnerability reporters shouldn’t be responsible for directly working with every downstream consumer of the linux kernel, what’s the limiting principal there? Should the reporter also be directly talking to all device manufacturers that use Linux on their machines?
IMO reporter did more than enough by responsibly disclosing it to linux and waiting for a patch to land.
Aren’t there people in the linux project itself with authority over and responsibility for security vulnerabilities? One would think they would be the ones notifying downstream distros…
aduwah 16 hours ago
Especially since the reporter is explicitly asked not to notify the distro teams first.
https://docs.kernel.org/process/security-bugs.html
```As such, the kernel security team strongly recommends that as a reporter of a potential security issue you DO NOT contact the “linux-distros” mailing list UNTIL a fix is accepted by the affected code’s maintainers and you have read the distros wiki page above and you fully understand the requirements that contacting “linux-distros” will impose on you and the kernel community. ```
pmontra 5 hours ago
There are a zillion of distributions. The mailing list at https://oss-security.openwall.org/wiki/mailing-lists/distros includes some I never heard about and misses some famous ones (Mint, POP OS.)
The bug is in the kernel, so it's OK to notify only the kernel team. Then they should notify the distributions they are in contact with.
The first message about Copy Fail that I see in the archive https://www.openwall.com/lists/oss-security/2026/04/ is from April 29. I run apt on my Debian 13 yesterday and got the fixed kernel.
Do I expect that every distribution is already patched? I don't. However each of us choose the distribution to run. Security can be one of the criteria for the choice. I played safe and I'm using Debian. Other people can make a different tradeoff maybe based on their personal threat analysis.
There are people running end of life kernels and distributions in production, or with pinned old kernels especially on ARM SBCs. I know both. Those are other choices made at the user end of the process.
IMHO the disclosure and fix process was run in the proper way from the researcher to the end user.
nubinetwork 13 hours ago
I don't get why the initial reporter should have to do that legwork. The kernel maintainers should be doing that.
nomel 9 hours ago
stonogo 15 hours ago
The kernel team has been at odds with the CVE process and the oss-security community about this stuff for many, many years now. It's a big part of why the kernel team established a CNA and started flooding CVE notifications; they don't believe that security problems are different than non-security problems, and refuse to establish norms or policies based on the idea that they are.
throw0101a 11 hours ago
IshKebab 14 hours ago
sega_sai 16 hours ago
The reporter took time to check and mention on their website specific distributions Ubuntu/RHEL/SUSE. One would have thought reporting to security teams of at least those would be responsible.
semiquaver 16 hours ago
“One” would have thought? Can you point to a written policy that says that’s how it should be?
happyopossum 16 hours ago
anikom15 16 hours ago
skywhopper 17 hours ago
The reporter made a website explicitly calling out Ubuntu, RedHat, Amazon, and SUSE but didn’t notify them, and you think that’s reasonable? That they might not have known those distributions are downstream from the kernel team?
Legend2440 15 hours ago
If you notify the kernel and they ship a fix, it seems reasonable to expect that they will communicate the fix to the distros.
I see this as an organizational failure of the Linux ecosystem. There should be better communication between distro and kernel development.
dweinus 11 hours ago
sigmar 14 hours ago
What is the heuristic for who should get the heads up? Should they notify amazon but not google simply because they named amazon linux in the report? Seems to me the answer to my first question gets messy fast.
sparker72678 17 hours ago
Sure, maybe it's not a _requirement_, but now we're all in more pain because the reporters are more interested in Fame than Safe Remediation.
tptacek 14 hours ago
No, you're in more pain, but other defenders with different postures benefit from having faster and fuller disclosure.
ori_b 12 hours ago
throw0101a 11 hours ago
froh 16 hours ago
it's trivial to find out how to report a security issue like this to Linux distros.
Google search: https://share.google/aimode/eihDKXZJy94Z5lC1p
and it's beyond me to not think about doing this and instead exposing everyone and their neighbor to this exploit up front.
I'm certain this is even a felony in some legislations, rightfully so.
dboreham 15 hours ago
Agree it's not a good look for these folks, notwithstanding that disclosure is mostly theater.
iTokio 4 hours ago
The most interesting exchange, related to disclosure, is this one:
https://www.openwall.com/lists/oss-security/2026/05/01/3
> Nope, sorry, we are NOT allowed to notify anyone about anything "ahead of time" otherwise we will have to tell everyone about everything. That's the only policy by which all the legal/governmental agencies have agreed to allow us to operate in, so we are stuck with it.
greg k-h
whateverboat 2 hours ago
As much as I like linux, this is stupid.
whatevaa 14 hours ago
Stop blaming the reporter. Start asking kernel to fix their process. Linux kernel is no longer a toy project, it has full time employees employed by various companies. They should have handled notifying distributions. Not some rando.
pamcake 5 hours ago
Look, if they namedrop specific distros in their announcement (marketing) blog post as affected, I think a heads-up before publishing that is appropriate and expected.
I don't think they would have gotten as much flame if it weren't for how the RHEL 14 mention and such were put.
This is a security company with a professional(?) communications department banking on pointing fingers at distro maintainers. We are not talking about solo security researchers or academics here.
nirava 2 hours ago
Exactly. Any security person absolutely KNOWS that the distros are still going to be vulnerable. They're exploiting this process loophole to knowingly cause chaos and gain notoriety.
At this point this is not really white-hat/ethical hacking anymore.
Ofc the kernel-distro security loophole is stupid and should be patched ASAP, but that doesn't absolve this company of wrongdoing.
dweinus 11 hours ago
No, I will. The distros and the kernel devs should be talking and moving on high sev patches, sure. But real people will have gotten hurt because the reporter didn't want to wait for that to happen. That's on them.
john_strinlai 10 hours ago
you must be unfamiliar what used to happen before hard deadlines were set on disclosure. it was much worse for the users.
here is a good start: https://projectzero.google/vulnerability-disclosure-faq.html...
there is ~3 decades of more context if you search for it.
stingraycharles 3 hours ago
pkoiralap 11 hours ago
It's one thing to report a vulnerability, another entirely to make a crazy exploit available for any tom, dick, and harry to take and use. It was irresponsible of whoever came up with it to release it in the world without first giving major distros a head's up.
bell-cot 11 hours ago
Bashing on the reporter is pointless feel-good. This is a massive vuln. It was 4 weeks after Kernel had a patch. They had no way to know if others parties had also discovered the vuln. Lord Knows how many millions of systems could already have been rooted. The reporter is not their minion.
If I call 911 to report a fire at an oil storage facility - and they ask me to alert the hospital, then phone the neighboring county's Sheriff Dept., and then...yeah. Either I'm way out in the sticks (and known to/trusted by the 911 operator), or else the 911 service is run by children.
robocat an hour ago
GranPC 15 hours ago
Just for what it's worth, I just pushed an eBPF-based workaround for people who are running kernels in which AF_ALG is linked directly into the kernel and not as a module: https://github.com/Dabbleam/CVE-2026-31431-mitigation
I am running this in production right now and it mitigates the attack, with no unexpected side-effects as far as I can see.
sersi an hour ago
Interesting comment by Greg Kroah-Hartman when asked why the kernel team doesn't notify distros directly
> Nope, sorry, we are NOT allowed to notify anyone about anything "ahead of time" otherwise we will have to tell everyone about everything. That's the only policy by which all the legal/governmental agencies have agreed to allow us to operate in, so we are stuck with it.
I'd be interested in knowing more about that policy... Seems that there should be exceptions for the major distros.
Of course, major distros who have contracts with SLA could also pay for someone to be on the kernel security team and get a heads up like that..
KingMachiavelli 15 hours ago
`nosuid` and probably `nodev` should IMO be the default filesystem mount options. `/dev` is already a special devtmpfs and the initrd minimal /dev can just explicitly mount the initrd tmpfs rootfs with `dev` and `suid` if necessary.
Letting SUID binaries just "exist" anywhere is a stupendous security issue. What if you mount some external storage medium, how are you to verify that none of the SUID binaries on that block device are malicious.
Additionally, this exploit appears to only work if the user executing the SUID binary can also read the SUID binary. There's no reason for non-root users to have read on a SUID binary.
NixOS does this correctly. No SUID in the normal package installation directory `/nix/store` and no package leakage outside of that no `nosuid` can safety be used on all other mountpoints. The exception is just a single-purpose `/run/wrappers.$hash` directory that safety contains executable ONLY SUID wrappers.
muvlon 14 hours ago
While I hate suid as much as the next person, it's really not the problem here.
The bug that is being exploited gives you basically arbitrary page cache poisoning. At that point it's already game over. Patching a suid program is maybe the easiest way to get a root shell from that but far from the only.
xorcist 13 hours ago
The proof of concept exploit is just that. It is meant to demonstrate one attack vector only. There are many others. If your goal is to prevent the conceptual exploit only then there are many easier ways to accomplish that, such as blacklisting, that does not make you safer.
With this vulnerability you can manipulate the page cache. You could also manipulate ld.so to hook into arbitraty system calls, or set your uid to 0, or any of another dozen or so ways to elevate your privileges.
Mount points have nothing to do with this, even if is always a good idea to disallow suid in user writable areas and prevent reading suid files, but that's for other reasons. NixOS does nothing to fix this and is just as vulnerable as everyone else.
akdev1l 14 hours ago
Without read permissions you cannot execute the binary, that would not make any sense.
To execute the binary it needs to be read from disk and loaded into memory.
In fact if you have read permissions but not executable permissions on a specific binary then you can still execute it by calling the linker directly /bin/ld.so.1 /path/to/binary (the linker will read and load the binary and then jump to the entry point without an exec() call)
aaronmdjones 12 hours ago
> Without read permissions you cannot execute the binary
This is not correct, as when the binary is setuid-someone-else, you are not the one executing it; they are.
$ cat hello.c
#include <stdio.h>
int main(void)
{
(void) puts("Hello, world!");
return 0;
}
$ clang-21 -Weverything hello.c -o hello
$ sudo chown root:root hello
$ sudo chmod 4711 hello
$ ls -l hello
-rws--x--x 1 root root 16056 Apr 30 22:22 hello
$ ./hello
Hello, world!
$ id
uid=1000(aaron) gid=1000(aaron) groups=1000(aaron),27(sudo),46(plugdev),100(users)
akdev1l 12 hours ago
tryauuum 12 hours ago
this ld.so magic will lose the suid bit
$ /bin/ld.so `which sudo`
sudo-rs: sudo must be owned by uid 0 and have the setuid bit setPlagman 14 hours ago
loader
ectospheno 17 hours ago
The Bleeping Computer link below mentions a potential remedy until a patch is ready.
https://www.bleepingcomputer.com/news/security/new-linux-cop...
jayofdoom 17 hours ago
This workaround only applies to kernels with the impacted code compiled as a module. RHEL, Fedora, and Gentoo (we use a modified Fedora config) all are configured to build this in directly. Without a patch or config change (as Sam from Gentoo was alluding to), those distributions remain vulnerable.
jcul 16 hours ago
There was some discussion on the GitHub issues about workarounds to disable it, even though it is baked in.
https://github.com/theori-io/copy-fail-CVE-2026-31431/issues...
https://github.com/theori-io/copy-fail-CVE-2026-31431/issues...
pitrdevries 16 hours ago
This worked as a mitigation on distros with the module compiled into the kernel: https://gist.github.com/m3nu/c19269ef4fd6fa53b03eb388f77464d...
Basically: sudo grubby --update-kernel=ALL --args=initcall_blacklist=algif_aead_init
sudo reboot
akdev1l 14 hours ago
F44 is safe as the kernel is greater than 6.18.22
ranger_danger 6 hours ago
For compiled-in kernels you can also work around it without rebooting via apparmor, seccomp or SELinux at the least, there may be eBPF or other methods too.
holowoodman 17 hours ago
The potential remedy doesn't work on RedHat and derivatives because the affected code is not a module there but statically compiled in.
swinglock 14 hours ago
Neither was NixOS.
https://discourse.nixos.org/t/is-nixos-affected-by-copy-fail...
Denvercoder9 13 hours ago
None of the distros were.
seniorThrowaway 16 hours ago
Ubuntu has patches out, tested before and after patching.
uberduper 16 hours ago
`initcall_blacklist` is a thing.
ChrisArchitect 16 hours ago
lrvick 14 hours ago
Was not disclosed to stagex, and I expect a lot of linux distros. Thankfully we were already on kernel 7.0 so not impacted
anthk 2 hours ago
Hyperbola GNU was save because they still use Python 3.8 for both political and stable reasons.
nromiun 42 minutes ago
Python 3.10 is only used for the exploit. You can easily rewrite it for 3.8 as well. The vulnerability itself does not require Python at all.
m00dy 2 hours ago
Welcome to AI first world, everything is about fail and repriced.
worthless-trash 4 hours ago
I believe this is the side effect of having upstream manage the CVE process.
The distros dont get any involvement until release, welcome to the suck.
2OEH8eoCRo0 9 hours ago
Seems silly. How many distros need to be notified? There are hundreds.
kro 3 hours ago
That is true, but if at least the widely used ones would get notified before that would be beneficial. If they have a responsible security contact point.
- Debian
- Ubuntu
- Arch
- Amazon/Azure
- Fedora/RHEL
JasonHEIN 15 hours ago
huh somehow seeing people not using ai to work is like wow moment which i cherish a lot these days
lionkor 12 hours ago
You're likely in an echo chamber! Barely anyone I know uses AI as more than a fallible tool.
VladVladikoff 14 hours ago
Hey Xint Code / tylerni7 <https://news.ycombinator.com/threads?id=tylerni7>, maybe you should improve your disclosure process as well? Maybe make it mandatory for users of your tool?
john_strinlai 14 hours ago
they disclosed 30 days after the patch was merged in the thing they reported to.
its the same disclosure policy as google's project zero, and several other major players, so you should probably be trying to ping a lot more people
reporters should not be responsible for finding out and individually reporting to every downstream consumer. blame the kernel security team, who is in a much better position to coordinate notifications to individual distro security teams.
VladVladikoff 11 hours ago
In the original thread they admitted multiple times that they rushed it out for marketing reasons.
john_strinlai 11 hours ago
tptacek 13 hours ago
The security research community would run you out on a rail if you tried to take a successful research product and attach mandatory disclosure norms to it.
VladVladikoff 11 hours ago
Couldn't the product itself disclose to the vendors?
tptacek 11 hours ago
Skywalker13 13 hours ago
I have checked all the servers (bookworm, bullseye) that I manage, and none of them have the algif_aead module loaded.
Seems not fatal to all non-patched systems.
Denvercoder9 13 hours ago
Not having the module loaded doesn't mean you're not vulnerable, the kernel loads the module on-demand when it's needed. I tried the exploit on such a system, and it worked.
However, not having the module loaded does mean that in normal operation you don't need the module, so the proposed mitigation of disabling the module is safe in the sense that it won't disrupt anything.
Skywalker13 13 hours ago
I don't know what exactly can load this module but the servers are running for many weeks and I suppose that if something will load this module, it stays loaded until the next reboot.. no ?
I tried to rmmod on all servers and rmmod always returns `ERROR: Module algif_aead is not currently loaded`, that's why I think it's fine. Of course I take a look on https://security-tracker.debian.org/tracker/CVE-2026-31431 for the updates.
Denvercoder9 12 hours ago
bombcar 8 hours ago
TacticalCoder 12 hours ago
> I have checked all the servers (bookworm, bullseye) that I manage, and none of them have the algif_aead module loaded.
But only Trixie (and testing/Sid) are patched (as I type this).
On Bookworm (and Bullseye), you want to add the module to list of blocked modules. It's a one-line change.