As someone who works on the Linux kernel's cryptography code, the regularly occurring AF_ALG exploits are really frustrating. AF_ALG, which was added to the kernel many years ago without sufficient review, should not exist. It's very complex, and it exposes a massive attack surface to unprivileged userspace programs. And it's almost completely unnecessary, as userspace already has its own cryptography code to use. The kernel's cryptography code is just for in-kernel users (for example, dm-crypt).
The algorithm being used in this exploit, "authencesn", is even an IPsec implementation detail, which never should have been exposed to userspace as a general-purpose en/decryption API.
If you're in charge of the configuration for a Linux kernel, I strongly recommend disabling all CONFIG_CRYPTO_USER_API_* kconfig options. This would have made this bug, and also every past and future AF_ALG bug, unexploitable. In the unlikely event that you find that it breaks any userspace programs on your system, please help migrate them to userspace crypto code! For some it's already been done. But in general, AF_ALG has actually never been used much in the first place, other than in exploits.
I don't think there's much other option. This sort of userspace API might have been sort of okay many years ago. But it just doesn't stand up in a world with syzbot, LLM-assisted bug discovery, etc.
still_grokking 1 hours ago [-]
As I did not know what AF_ALG is in the first place I've searched for it and found this here:
> * The first and most important item is the access to hardware accelerators and hardware devices whose technical interface can only be accessed from the kernel mode / supervisor state of the processor. Such support cannot be used from user space except through AF_ALG.
> * When using user space libraries, all key material and other cryptographic sensitive parameters remains in the calling application's memory even when the application supplied the information to the library. When using AF_ALG, the key material and other sensitive parameters are handed to the kernel. The calling application now can reliably erase that information from its memory and just use the cipher handle to perform the cryptographic operations. If the application is cracked an attacker cannot obtain the key material.
> * On memory constrained systems like embedded systems, the additional memory footprint of a user space cryptographic library may be too much. As the kernel requires the kernel crypto API to be present, reusing existing code should reduce the memory footprint.
I can't judge whether this is a good justification, but there is one.
buckle8017 12 minutes ago [-]
You should take note that this is written by the person that wrote the bad patch.
So grain of salt.
still_grokking 5 minutes ago [-]
I've said I'm not sure about the validity of that reasoning.
I've liked it nevertheless for context, as augmentation to parent's post.
alpn 2 hours ago [-]
For anyone wondering: AF_ALG is a Linux socket interface that exposes the kernel’s crypto API via file descriptors, using normal read(2)/write(2) calls for hashing and encryption.
Fr0styMatt88 1 hours ago [-]
How did it get in? Isn’t Linus known for being rightfully fussy about what makes it into the kernel?
Would be an interesting story.
sidewndr46 1 hours ago [-]
any idea what software this will break once I turn this kernel configuration off?
ebiggers 11 minutes ago [-]
iwd is the main culprit (for systems that use it instead of wpa_supplicant).
I think cryptsetup / LUKS also requires it with some non-default options. With the default options, it works fine with the kconfigs disabled.
There's not much else, as far as I know. Normally programs just use a userspace library instead, such as OpenSSL.
31 minutes ago [-]
xeeeeeeeeeeenu 6 hours ago [-]
It seems there was some kind of confusion during the disclosure process, because the vendors aren't treating this vulnerability as serious and it remains unpatched in many distros.
Seems like distros consider it a medium risk because it doesn't involve remote code execution and requires local access. Though it allows local root privilege escalation which is considered high priority.
> Medium: A significant problem, typically exploitable for many users. Includes network daemon denial of service, cross-site scripting, and gaining user privileges.
oskarkk 6 hours ago [-]
Strange that it's not classified as "high", which specifically includes "local root privilege escalations".
> High: A significant problem, typically exploitable for nearly all users in a default installation of Ubuntu. Includes serious remote denial of service, local root privilege escalations, local data theft, and data loss.
amarant 4 hours ago [-]
It is high now, someone at canonical is paying attention it seems
6 hours ago [-]
mghackerlady 4 hours ago [-]
it's not like this couldn't be chained with some other exploit to get remote access to get remote root access which seems like a bit of an issue
daveoc64 4 hours ago [-]
Ubuntu seems to have updated the page to say that it's a high priority now.
5 hours ago [-]
staticassertion 2 hours ago [-]
It was already known to attackers (or basically anyone watching) weeks ago when the patch hit the kernel but it wasn't communicated by upstream as a vuln (because Linus and Greg do not believe that vulnerabilities are conceptually relevant to the kernel).
still_grokking 1 hours ago [-]
Will this continue like that even when the prophesied Mythos Vulnocalypse hits the Kernel?
This stance doesn't seem sustainable any more to me.
staticassertion 1 hours ago [-]
The response from Greg was that Mythos proved that upstream was right all along and that they'll continue to do things the same way. That's my recollection, at least - pretty sure it was something like that, could have been even worse though and I'm misremembering.
The stance was never sustainable, hence linux LPEs being constantly available. The solution is to treat your kernel as impossible to secure. Notably, gvisor users are not impacted by this CVE. Seccomp also kills this CVE.
still_grokking 1 hours ago [-]
How about SELinux, like on Android?
staticassertion 33 minutes ago [-]
I assume that wouldn't help here but I could easily be wrong. (Assuming if you're asking if SELinux would block this exploit).
wangman 4 hours ago [-]
RedHat has also changed it to "Important severity" and "Affected" now.
Tuna-Fish 6 hours ago [-]
Yeah, by ubuntu's own guidelines linked on that page, this should be priority: high, but instead it's marked as medium.
arcfour 2 hours ago [-]
It's unfortunate that this does not include which versions of the kernel are vulnerable/patched, especially since this is a builtin module which cannot be easily removed with rmmod...
...fixed in 6.18.22 with commit fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8
...fixed in 6.19.12 with commit ce42ee423e58dffa5ec03524054c9d8bfd4f6237
...fixed in 7.0 with commit a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5
Hope that helps.
nh2 6 hours ago [-]
If you want to use the suggested mitigation (disabling kernel module `algif_aead` with a modprobe config), and you do not want to run that whole obfuscated shell code to get an actual root shell, but only check if the module can be loaded, here is a readable version of its first few lines:
python3 -c 'import socket; s = socket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET, 0); s.bind(("aead","authencesn(hmac(sha256),cbc(aes))")); print("algif_aead probably successfully loaded, mitigation not effective; remove again with: rmmod algif_aead")'
Similarly, when the mitigation is in place,
modprobe algif_aead
should fail with an error.
hackernudes 5 hours ago [-]
LPE = local privilege escalation
Too many darn acronyms. This one wasn't too hard to figure out from context but I wish people would define acronyms before using them!
arcfour 2 hours ago [-]
LPE is a very well-known acronym within the security community, it's not purely academic or obscure or anything.
I agree that it would be a good idea to define it explicitly when writing for a broader audience, but I don't think it's particularly egregious that they didn't. It's certainly something I could see myself forgetting.
Then again, the whole writeup appears to be AI-generated, so...
jjordan 4 hours ago [-]
Good writing for a broad audience requires it. Unfortunately the LLMs don't tend to adopt this guideline.
boston_clone 4 hours ago [-]
it’s a CVE write up; the audience for these knows what an LPE is.
acdha 3 hours ago [-]
That’s very optimistic. I’d bet there are an order of magnitude more people wondering how exposed they are than security researchers reading this.
I've read many CVEs (somehow that acronym is ok... heh) but have never seen LPE despite being familiar with the concept.
staticassertion 2 hours ago [-]
That seems literally borderline impossible.
smaudet 18 minutes ago [-]
You should re-evaluate your probabilities, I too have heard frequently of CVEs, but never of an LPE.
staticassertion 16 minutes ago [-]
I'm sure lots of people have heard of CVEs, but have you actually read many? LPE is an extremely common term. It's like not knowing RCE. These are the terms used.
1970-01-01 1 hours ago [-]
I don't know why, but newer writers have never been taught to expand their acronyms on first use. I blame the US education system.
jesse_dot_id 4 hours ago [-]
Good thing nobody is silly enough to let fully autonomous AI agents run as regular users on these affected operating systems. That could be disastrous given a zero day prompt injection technique.
chromacity 2 hours ago [-]
I don't see what the issue is, my agent is already running as root.
ryandrake 2 hours ago [-]
Good thing we haven't normalized installing things with curl | sh
still_grokking 1 hours ago [-]
Yeah, that's great!
Imagine we would download random code from the internet and just execute it, like with NPM, PIP, Maven, Cargo etc.
om8 30 minutes ago [-]
cargo/uv/go have lock files though
FlyThruTheSun 1 hours ago [-]
I literally ship an installer that runs with curl | bash... reading this thread while patching my servers is a fun experience lol
sieabahlpark 3 hours ago [-]
[dead]
jzb 7 hours ago [-]
This is amazing. Page says it works on RHEL 14.3, which doesn’t exist. Current RHEL is 10.x, this must’ve been done in a TARDIS.
oskarkk 6 hours ago [-]
14.3 seems to come from some Red Hat-specific GCC version, which can be reported as "gcc (GCC) 14.3.1 20250617 (Red Hat 14.3.1-2)". See these random examples I found by googling:
On the same line it says kernel version 6.12.0-124.45.1.el10_1. Which is RHEL 10. This is the kind of typo that humans make -- the hard to type numbers are accurate because they're cut and pasted, but the "easy" numbers have errors because they're not cut and pasted.
tylerni7 6 hours ago [-]
ugh sorry should be fixed. There was some scrambling to get more info together to explain the issue (and yes, obviously marketing), so there are some minor mistakes. Thanks for pointing it out!
justinclift 4 hours ago [-]
> obviously marketing
Why marketing though?
tylerni7 4 hours ago [-]
because we're a company and we want to make money to continue to fund cool research, and help our customers secure their software :)
Sohcahtoa82 4 hours ago [-]
Resume-driven development
IgorPartola 3 hours ago [-]
I would rather people who find this kind of stuff pad their resumes and get coolness points on HN than sell this exploit on the black market. But your priorities may be different and you might prefer they do the latter.
0x00cl 7 minutes ago [-]
This is just a false dichotomy. Sure researches want money, credit but not at the cost of harming users or doing illegal things.
cozzyd 2 hours ago [-]
yeah, I assumed the whole thing was AI slop when I saw EL14...
rdtsc 7 hours ago [-]
> This is amazing. Page says it works on RHEL 14.3, which doesn’t exist. Current RHEL is 10.x, this must’ve been done in a TARDIS.
Indeed. "Distributions we directly verified: RHEL 14.3". Directly verified by me to be AI slop (the release page at least).
I have a sneaking suspicion his first name is Claude. Don't get me wrong though, he is pretty good I hear.
tptacek 7 hours ago [-]
I have no idea about this page, but Theori/Xint has a staff of veterans, they are a serious thing.
rdtsc 7 hours ago [-]
The fact that they have no idea RHEL 14, probably the most well known enterprise distro, is not a thing, and yet they "directly verified on it" casts some doubt on seriousness.
tptacek 7 hours ago [-]
I don't know what to tell you. I'm sure you have them dead to rights on Linux distro knowledge reliability, but the exploit here is real, and the vulnerability researchers they have on staff are also real. Xint is not generally a slop factory.
It's ironic that the one thing LLMs can't do reliably in this space is "write copy for humans" (I don't trust them for that either).
JeremyNT 5 hours ago [-]
Honestly I feel like a coding agent review would have caught this issue. I guess if you want to vibe-code your branded CVE web site it's not a bad idea to at least mash /review at the end.
Kind of funny to do something impressive and then ignore the details on the presentation, but perhaps that's not uncommon for security researchers?
6 hours ago [-]
stackghost 7 hours ago [-]
Is it more likely they have no idea what version RHEL is on, or that it's just a typo?
7 hours ago [-]
0x0 5 hours ago [-]
Dropping a public exploit on github before distros have patches available isn't very cool, or is that just how veterans roll these days?
tptacek 5 hours ago [-]
There is no one accepted set of norms on disclosure. Any strategy you take, someone will criticize.
akerl_ 5 hours ago [-]
I don’t know if “cool” is the word I’d use, but there isn’t an established “right” way to disclose a vulnerability that you found outside of a contracted security review or other employment/contracting arrangement.
john_strinlai 4 hours ago [-]
mainline was patched a month ago
7 hours ago [-]
m3nu 3 hours ago [-]
I wasn't able to unload algif_aead on RHEL 9/10 because it's built in, rather than a module.
So here the next-best thing I found: Disable AF_ALG via systemd. Needs drop-ins for all exposed services. Here an Ansible playbook that covers ssdh and user@, which are the main ones usually.
How about blacklisting algif_aead initialization function on RHEL 9/10? I added "initcall_blacklist=algif_aead_init" to the kernel boot options and rebooted. The exploit is not working anymore.
pkoiralap 3 hours ago [-]
I was coming up with the same intuition. However, it's like a whack-a-mole. What about cronjobs and slurmjobs and other services? Is there a way to do this directly on systemd so that all other processes inherit it rather than doing it on each one?
So this replaces a SUID binary, in order to run as PID 0. The website claims it can escape "Kubernetes / container clusters" and "CI runners & build farms" but I don't see anything supporting the claim it can escape a container (or specifically, a user namespace).
I ran the exploit in rootless Podman, and predictably it doesn't escape the container.
They also claim their script "roots every Linux distribution shipped since 2017.", but only tested four; and it doesn't work on Alpine
john_strinlai 7 hours ago [-]
>The website claims it can escape "Kubernetes / container clusters" and "CI runners & build farms" but I don't see anything supporting the claim it can escape a container
they state that the write-up is forthcoming. presumably there is some additional steps or modifications that will be detailed in the 'part 2'.
"Next: "From Pod to Host," how Copy Fail escapes every major cloud Kubernetes platform."
tjbecker 6 hours ago [-]
This is correct. The container escape exploit and writeup is not yet released.
tardedmeme 3 hours ago [-]
It overwrites bytes in memory of any file you can read. It's not hard to imagine how it could escape a lot of things.
The details will depend on whether the kernel is a newer release or a maintenance version of an older release.
Twirrim 4 hours ago [-]
> They also claim their script "roots every Linux distribution shipped since 2017.", but only tested four; and it doesn't work on Alpine
They've done themselves no favours at all with their write up.
It does seem legitimate (I was able to use the PoC on a 24.04 instance), and seems like it should be a big deal, but the actual number of affected distributions seems way lower, and not even remotely as per their claim every distribution since 2017.
For example with Ubuntu, if I'm reading it right there's some impact in 16.04 (EOL), but then at least as per their analysis, only the vendor specific 6.17 kernels they ship that have it (e.g. linux-gcp, linux-oracle-6.7 etc.). That's a relatively new kernel version they started shipping recently, after it was released upstream last September.
x4132 2 hours ago [-]
i mean, it doesn't work on any SELinux, but it's still quite severe anyhow
rcxdude 7 hours ago [-]
If you can get to real UID 0 from a rootless container, you can escape it, but you do need to take extra steps. Same with it working on Alpine: the underlying vulnerability probably still exists, but the script might need some adjusting. It's a PoC, not a full exploit for every situation.
7 hours ago [-]
amusingimpala75 7 hours ago [-]
Their PoC does as you say, but is built upon arbitrary modification of the page cache, which could be abused for the other things
progval 7 hours ago [-]
Ah indeed, it can be used to overwrite the page cache for files on read-only volumes.
microtherion 6 hours ago [-]
It also doesn't work on Raspberry Pi, though presumably it could easily be made to; it does replace the su binary, but the replacement is not executable.
unsnap_biceps 6 hours ago [-]
It's patching the binary in memory, so the binary patch would be architecture dependent. The existing one is only x86_64, but with an updated payload, it would work on arm.
x4132 2 hours ago [-]
this is because the `su` binary is replaced with x86 shellcode, replace it with aarch64 and it will work just the same.
embedding-shape 7 hours ago [-]
Did you try it on systems that don't have the patch already? Seems many distributions already shipped kernels with the patch ~a month ago.
progval 7 hours ago [-]
Yes. Alpine in rootless Podman doesn't work (after replacing "/usr/bin/su" with "/bin/su" in the .py, running the .py just doesn't do anything) while it does in Debian in rootless Podman on the same host.
x4132 2 hours ago [-]
there is a PoC floating around for Alpine.
giis 42 minutes ago [-]
As soon as I read this
>Shared dev boxes, shell-as-a-service, jump hosts, build servers — anywhere multiple users share a kernel. any user becomes root
jumped out of bed and went straight into webminal.org servers as local user and ran the python code. It says permission denied on sock() call.
For mitigation, the page currently basically just says:
> Update your distribution's kernel package to one that includes mainline commit a664bf3d603d
But it isn't very clear to me what Kernel version you can expect that to be in. For Arch/CachyOS, the patch seems to be included in 6.18.22+, 6.19.12+ and 7.0+. If you're on any of the lower versions in the same upstream stable series, you're likely vulnerable right now. Some distro kernels may include the fix in other versions, so check for your distribution.
nh2 6 hours ago [-]
On a git repo that has as remotes
https://github.com/torvalds/linux.git
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git as remotes:
running a search for commit a664bf3d603d's commit message:
distros might also apply patches to their own packages, so this isn't a perfect signal (i.e. if you have one of those versions, you almost certainly have the fix, but if you don't, it might still be fixed but you'll need to check the distro's package information to know for sure).
kro 7 hours ago [-]
Major os vendors will publish pages with the fixed versions:
Edit: and I can confirm that on my system with kernel 6.19.8 the above fixes the exploit.
comfydragon 5 hours ago [-]
Weirdly, the mitigation does not seem to work under WSL2 (at least in Ubuntu 24.04).
Linux wsl2 6.6.87.2-microsoft-standard-WSL2 ...
`modprobe algif_aead` errors out, but if I run the POC, it succeeds.
Outside of WSL2, the mitigation does appear to work though.
tremon 4 hours ago [-]
It's possible that the WSL kernel has that code compiled-in rather than as a loadable module. If they ship the kernel config somewhere, you could verify with
It should show =m if it's a loadable module, and =y if it's compiled in.
comfydragon 3 hours ago [-]
It's a loadable module:
CONFIG_CRYPTO_USER_API_AEAD=m
Using bpftrace to watch calls to module_request, openat, etc., it looks like when the kernel calls modprobe, it doesn't even look at the disable-algif.conf file:
Restart WSL2, run the bpftrace, and try `sudo modprobe algif-aead`, and that shows it looking at (or I guess opening) other files in /etc/modprobe.d, including the new one.
The mystery is why.
phreack 7 hours ago [-]
The page itself seems vibecoded and a bit of an advertisement, but it does look like the vulnerability is real and high risk. It does explain the big security update I just got, guess I'll prioritize updating today.
2001zhaozhao 4 hours ago [-]
This is pretty obviously an advertisement but it's a pretty good advertisement imo, it pairs a meaningful contribution to the OSS ecosystem (discovering and patching a real bug) with selling your cybersecurity tool at the same time.
angry_octet 3 hours ago [-]
These guys don't need to advertise, they are already 100% busy with work. But who wastes their time manually creating web pages? Especially kernel devs.
tkgally 3 hours ago [-]
Side comment: I have recently used Claude Code to make a few sites for testing purposes. In the prompt I added "don't make it look vibe coded," and it worked pretty well: No purple gradients, bento box layouts, etc. Nothing spectacularly original, either, but probably enough to avoid accusations of vibe coding.
x4132 2 hours ago [-]
it's advertising their AI, not the talents of their humans :D
not_your_vase 8 hours ago [-]
Is there a readable version of the exploit readily available by any chance? Gotta admit that I failed binary-zip-interpretation-with-naked-eye class twice
The binary "zip" isn't the exploit, it's the shellcode. The exploit is the rest, which changes the code of a SUID executable (su).
stackghost 6 hours ago [-]
The call to zlib basically overwrites a minimal ELF into a portion of the `su` binary, which exceve's /bin/sh.
rkeene2 5 hours ago [-]
I couldn't get the POC to work with my version of Python so I had ChatGPT convert it to C [0] and was able to verify my Slackware system does not appear to be affected, but my NixOS system would be if I had any world-readable suid binaries (which I had to make one to test it).
I'm not sure I have any setuid/setgid binaries that are world-readable...
rkeene2 6 hours ago [-]
A workaround might be to make all setuid/setgid files non-world-readable because then they cannot be opened at all, and thus there is no setuid file to replace the contents of.
hashstring 5 hours ago [-]
Eh, if you can pollute page caches this won’t safe you.
Think modifying shared libraries, ld preload, cron, I guess on some systems /etc/passwd even.
There are a lot of files readable that should definitely not be writable.
rkeene2 4 hours ago [-]
Fair enough -- a simpler change might be to poison /etc/passwd and call `su` to a user that has uid 0, since that requires no shell code nor a readable binary, and this seems to have worked in a slightly modified POC:
It being readable is the default configuration most places, after all the purpose is to call it from a non-privileged user. But I could see it being made non-readable since its use is discouraged nowadays... though then I'd expect sudo to be readable as an alternative.
rkeene2 5 hours ago [-]
My `sudo` is also not readable. Files/directories don't need to be readable to be executed. I can still use `su` and `sudo`.
tjbecker 5 hours ago [-]
For this crowd, I highly suggest checking out the technical writeup
This has frustratingly low information density for a technical writeup. The LLM output on the marketing page is whatever, but here it really feels like my time isn’t being respected.
dgellow 7 hours ago [-]
That’s the most AI-written page ever made
collinmanderson 6 hours ago [-]
Yes. So cringy.
commandersaki 1 hours ago [-]
Tried this on my arch VPS which has a few users that hasn't been rebooted for 122 days.
Got:
OSError: [Errno 97] Address family not supported by protocol
I guess AF_ALG is not part of the Arch Linux LTS kernel?
Edit:
Looks like on Arch you have to go out of your way to have this enabled.
$ zcat /proc/config.gz | grep CONFIG_CRYPTO_USER_API
CONFIG_CRYPTO_USER_API=m
CONFIG_CRYPTO_USER_API_HASH=m
CONFIG_CRYPTO_USER_API_SKCIPHER=m
CONFIG_CRYPTO_USER_API_RNG=m
# CONFIG_CRYPTO_USER_API_RNG_CAVP is not set
CONFIG_CRYPTO_USER_API_AEAD=m
# CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is not set
$ uname -r
6.12.63-1-lts
bblb 7 hours ago [-]
What is "RHEL 14.3"? Was this site a one shot prompt. Quality.
skilled 7 hours ago [-]
This looks like an extraordinary find at first glance.
Does this mean you can go from a basic web shell from a shared hosting account to root? I can see how that could wreak havoc really quickly.
barbegal 7 hours ago [-]
Yes I would imagine lots of those type of services would be vulnerable if they hadn't updated to the latest kernel versions.
2 hours ago [-]
stackghost 7 hours ago [-]
As of this comment, Debian Stable ("Trixie", though I hate codenames) doesn't have a fix in place and remains vulnerable, or at least their CVE tracker shows it as such:
"Debian Stable ("Trixie", though I hate codenames)"
You can also call it Debian 13.
cachius 6 hours ago [-]
13.4 since 3/14
stackghost 6 hours ago [-]
I choose not to call it Debian 13 because that carries less context than Stable/Testing/sid. I'd rather not require the user to maintain that extra metnal mapping.
Anyone who knows anything about this subject immediately understands what is connoted by "Debian Stable". I run Trixie on most of my personal boxes and I had no idea what version number it is, nor do I particularly care.
tremon 4 hours ago [-]
> I run Trixie on most of my personal boxes and I had no idea what version number it is
It's not that hard to find though:
$ cat /etc/debian_version
13.4
corvad 7 hours ago [-]
If this is verified, this is a very big deal. Root access on any shared computer. Additionally do we know what kernel versions and stable versions have the patch?
Tuna-Fish 7 hours ago [-]
I just tested on my home server running ubuntu 24.04 LTS with newest kernel from repositories, got root.
Avamander 6 hours ago [-]
Can Livepatch mitigate this or is it already? I don't know where to look this up.
Tuna-Fish 5 hours ago [-]
I used the mitigation from this CVE report to turn off AF_ALG.
ranger_danger 5 hours ago [-]
As far as mainline goes, only 7.0 and up have the patch already.
Oddly, the POC doesn't work on my Debian 12 (Bookworm) EC2 instance. Everything that should indicate it's vulnerable is there, including the ability to socket(38,5,0).bind("aead", "authencesn(hmac(sha256),cbc(aes))")
layer8 3 hours ago [-]
What kernel version is it? (`uname -r`)
mikeweiss 1 hours ago [-]
Anyone have any idea when Bottlerocket will acknowledge CVE? Seems like a critical for kubernetes nodes......
> Any setuid-root binary readable by the user works.
Interesting detail. On Alpine, `/usr/bin/su` is not readable by any user, so the PoC doesn't work.
I suspect that the underlying issue can be exploited in other ways, but it makes me think that there's no reason for any suid binary to be world-readable.
Could this be used to root Android devices? Does Android ship with algif_aead?
alufers 5 hours ago [-]
I rewrote it quickly to C [1] (and changed the embedded binary to be aarch64).
Unfortunately it fails on calling bind() on my device, so probalby Android doesn't ship with that kenrel module by default :(. So no freedom for my $40 phone.
Putting it out here, maybe somebody else will have better luck.
Update: Checking the kernel config indeed confirms this.
adb shell zcat /proc/config.gz | grep CONFIG_CRYPTO_USER_API
# CONFIG_CRYPTO_USER_API_HASH is not set
# CONFIG_CRYPTO_USER_API_SKCIPHER is not set
# CONFIG_CRYPTO_USER_API_RNG is not set
# CONFIG_CRYPTO_USER_API_AEAD is not set
tripdout 7 hours ago [-]
There’s SELinux, everything is mounted nosuid, barely anything runs as root except init. I doubt it.
angry_octet 3 hours ago [-]
You don't need a suit binary for this, they have arbitrary write of memory. The suid binary is just a convenient and portable way to demonstrate it. Real exploits will use many different mechanisms.
notpushkin 7 hours ago [-]
I’ve poked around on my phone and it didn’t work:
File "/data/data/com.termux/files/home/a.py", line 5, in c
a=s.socket(38,5,0); # ...
File "/data/data/com.termux/files/usr/lib/python3.13/socket.py", line 233, in __init__
_socket.socket.__init__(self, family, type, proto, fileno)
~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied
int0x29 7 hours ago [-]
I got line 5 to run and failed on line 8 due to lack of su. I'd need to find a user accessible setuid binary for it to work.
Traceback (most recent call last):
File "/data/data/com.termux/files/home/exploit.py", line 8, in <module>
f=g.open("/usr/bin/su",0);i=0;e=zlib.decompress(d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))
^^^^^^^^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: '/usr/bin/su'
notpushkin 7 hours ago [-]
Try /system/bin/ping
int0x29 7 hours ago [-]
Now the socket is blocked. Also probably should have realized the socket is defined earlier than its called
Traceback (most recent call last):
File "/data/data/com.termux/files/home/exploit.py", line 9, in <module>
while i<len(e):c(f,i,e[i:i+4]);i+=4
^^^^^^^^^^^^^^^
File "/data/data/com.termux/files/home/exploit.py", line 5, in c
a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=279;v=a.setsockopt;v(h,1,d('0800010000000010'+'0'64));v(h,5,None,4);u,_=a.accept();o=t+4;i=d('00');u.sendmsg([b"A"4+c],[(h,3,i4),(h,2,b'\x10'+i19),(h,4,b'\x08'+i*3),],32768);r,w=g.pipe();n=g.splice;n(f,w,o,offset_src=0);n(r,u.fileno(),o)
^^^^^^^^^^^^^^^^
File "/data/data/com.termux/files/usr/lib/python3.12/socket.py", line 233, in __init__
_socket.socket.__init__(self, family, type, proto, fileno)
PermissionError: [Errno 13] Permission denied
fragmede 3 hours ago [-]
PoC is also x86_64 only and not arm.
tgies 1 hours ago [-]
[dead]
zb3 7 hours ago [-]
Android is smarter than setuid + system partitions aren't writable.
firer 7 hours ago [-]
System partitions being non-writable has nothing to do with the vulnerability - it allows modifying the cache of any file that you can open for reading.
Not using setuid anywhere means you'd have to build a slightly more clever exploit, but it's still trivial - just modify some binary you know will run as root "soon".
But... I didn't check, but IIRC the untrusted_app secontext that apps run in is not allowed to open AF_ALG sockets - so you can't directly trigger the vulnerability as a malicious app. Although it might be possible in some roundabout way (requesting some more privileged crypto service to do so).
int0x29 7 hours ago [-]
Edit: Ignore this I overlooked calling order. It is indeed blocked
~~My allegedly fully patched pixel 8 pro allowed an AF_ALG socket to open under termux without virtualization so I'm not sure the last but is true~~
zb3 6 hours ago [-]
Ah, I blindly assumed such memory would be mapped readonly...
int0x29 7 hours ago [-]
Its not writing to the partition though is it? It is polluting the cache page via a write with a buffer overrun in the kernel. I don't think buffer overruns follow permissions.
zb3 6 hours ago [-]
I assumed such memory would be mapped readonly (PROT_READ), without actually looking into it..
smlacy 7 hours ago [-]
The fetishism of "byte count" (here, as "732 byte python script") needs to stop, especially when in a context like this where they're trying to illustrate a real failure modality.
Looking at their source code [1] it starts with this simple line:
import os as g,zlib,socket as s
And already I'm perplexed. "os as g"? but we're not aliasing "zlib as z"? Clearly this is auto-generated by some kind of minimizer? Likely because zlib is called only once, and os multiple times. As a code author/reviewer, I would never write "os as g" and I would absolutely never approve review of any code that used this.
Anyway, I could go on. :) Let's just stop fetishizing byte count
Hilariously, "os as g" adds one more byte than it saves, since os is only used 4 times but the alias takes 5 extra bytes to save 4. And "socket as s" comes out even.
If you wanted real savings, you'd use "d=bytes.fromhex" instead of defining a function -- 17 bytes!! And d('00') -> b'\0' for -2 bytes.
We could easily get the byte count down further by using base64.b85decode instead of bytes.fromhex (-70 or so), but ultimately we're optimizing a meaningless metric, as you mention.
debo_ 6 hours ago [-]
I don't see it as fetishizing byte count. I think of it as a proxy measure for how complicated or uncomplicated the exploit might be. They could just as well have said "we can do it in 3 lines of python" or "the Shannon entropy of the script implementing the exploit is really small" and I would have interpreted it similarly.
Where do you see this "fetishizing" happening most often? It's a strange thing to counter-fetishize about.
layer8 5 hours ago [-]
> I think of it as a proxy measure for how complicated or uncomplicated the exploit might be.
From a Busy Beaver, 256-bytes compo, or Dwitter perspective, 732 bytes isn’t really that meaningful.
And the sample exploit is even optimizing the byte size by using zlib compression, which doesn’t make much sense for the purpose. It just emphasizes the byte count fetishization.
debo_ 4 hours ago [-]
Again, I think the point is that compressed size is a reasonable measure of the inherent complexity of a program. I'm a crap mathematician, but I believe that is a fundamental concept in information theory.
layer8 3 hours ago [-]
But it isn’t compressed size, the compressed part is only 180 bytes of the 732.
debo_ 2 hours ago [-]
Ah, got it. Thank you.
tptacek 6 hours ago [-]
I don't get the 732-byte thing either and while I think it's a relatively punchy and unusually informative landing page for named vulnerability there are little snags like this all over it.
But the fact that it's not a kernel-exec LPE and it's reliable across kernels and distributions is important; it's close to the maximum "exploitability" you're going to see with an LPE. Which the page does communicate effectively; it just gilds the lily.
tylerni7 5 hours ago [-]
yeah... definitely a bit of a rush to get the landing page out after a long time in the disclosure process. The folks putting this all together have been working like mad (finding the bug, disclosing, working a lot on patching, writing up POCs and verifying exploitability in different scenarios) and stayed up really late to finish up the landing page, which led to a lot of minor issues.
But the bug is real and people should patch :)
For the size: sometimes people will shove in kilobytes of offset tables or something into an exploit, so it'll fingerprint and then look up details to work. This is much smaller because it doesn't need any of that, which is important for severity. (I agree the "golf" nature is a bit of an aside, kind of like pwn2own exploits taking "10 seconds")
xmcp123 3 hours ago [-]
Glad I’m not alone. The whiplash from “oh, python I can read this” to “what the hell does that do” was jarring.
Assuming AI was correct, it unpacks more or less like this
"The honest solution: a clean 50-line cut" and so on, ad nauseam
infogulch 5 hours ago [-]
While I agree that it doesn't make much sense to use a minimizer on code the reader could understand, the code-golfed byte count of a CVE repro communicates its complexity in a certain visceral way.
embedding-shape 7 hours ago [-]
> I would absolutely never approve review of any code that used this.
How often do you review, and subsequently block the release, of PoCs in this sort of context? Sounds like you've faced this a lot.
I always thought code quality mattered less in those, as long as you communicate the intent.
Xirdus 6 hours ago [-]
If you have a choice between posting minimized exploit code, and posting regular exploit code, posting minimized code is virtually always the wrong choice.
If you have a choice between pointing out the byte size of the exploit, and not pointing out the byte size of the exploit, pointing it out is virtually always the wrong choice.
In both cases, doing the right thing is less work. So somebody is going the extra way to ensure they are doing it wrong. If they didn't care, they'd end up doing it right by default.
nvme0n1p1 5 hours ago [-]
> as long as you communicate the intent
How does "import os as g" communicate the intent? How does hiding the payload behind zlib communicate the intent? This is the opposite: obfuscating the intent, so they can brag about 732 bytes instead of 846 bytes (or whatever it might have been).
It would have been less work for everyone involved to just release the unminified source.
opello 6 hours ago [-]
While not formally reviewing code like this, I read a lot of it for fun. When it's clear and understandable, it's more educational and enjoyable. If the PoC code can also serve as a means of communication, that seems like an extra win.
rts_cts 5 hours ago [-]
I started to take the exploit script apart and reformat it to be something readable. At about 1041 bytes it's actually readable. The heart of it also includes an encoded zlib compressed blob that's 180 bytes long ('78daab77...'). This is decompressed (zlib.decompress(d(BLOB)) to a 160 byte ELF header.
refulgentis 7 hours ago [-]
It's just lazy AI* writing w/0 editing.
"Just" is doing a lot of work there, I'm so annoyed reading it.
It's like an anti-ad and they had pretty cool material to work with.
* Claude loves stacatto "Some numeric figure. Something else. Intensifier" (ex. the "exploitable for a decade." or whatever sentences)
bonzini 6 hours ago [-]
Completely without editing, to the point of hallucinating a RHEL version (14.3) that doesn't exist.
This is pretty legible compared to the 90s C rootshell.org exploits.
fragmede 6 hours ago [-]
> Anyway, I could go on.
Then go on. zlib is only used once, so "zlib as z" in exchange for using z once doesn't get you anything. Using os directly and not renaming it g saves you 2 bytes though. But in this age where AI outputs reams of code at the drop of a hat, why shouldn't we enjoy how small you can get it to pop a root shell?
edit: If we drop offset_src=0 and just pass in 0 positionally, it comes down to 720.
Banditoz 5 hours ago [-]
>...why shouldn't we enjoy how small you can get it to pop a root shell?
Because I want to know what the exploit is doing and how it works, and if it's even safe to run.
A privesc PoC is NOT the place for this kind of fun.
akdev1l 5 hours ago [-]
Agreed lmao the PoC itself looks like you’re getting attacked
Which I guess is true but I would like to verify the attack is the intended one
john_strinlai 7 hours ago [-]
>As a code author/reviewer, I would never write "os as g" and I would absolutely never approve review of any code that used this.
lucky for them, its an exploit script, not enterprise code.
all that needs to be "reviewed" is whether or not it exploits the thing its supposed to.
edit: yall really think a 10-line proof of concept script needs to undergo a code review? wild. i shouldnt be surprised that the top comment on a cool LPE exploit is complaining about variable naming
StableAlkyne 5 hours ago [-]
It's just sloppy. Readers are human, and little mistakes like this take away from the article. Then you add a nonexistent RHEL version, and it just isn't a good look. Which is a shame, because it's otherwise a very interesting vuln.
Maybe you didn't care, but the length of this comment chain clearly shows that it matters. Effective communication is just as important as the engineering.
john_strinlai 5 hours ago [-]
agreed regarding the RHEL version!
i just dont understand huffing and puffing over "os as g" in a 10-line poc script, and saying "well i would never approve this". its not enterprise code. its not code that will ever be used anywhere else, for anything. its sole purpose is to prove that the exploit is real, which it does!
the rest of the information is in the actual vulnerability report. the poc is a courtesy to the reportee, so that they can confirm that the report itself isnt bullshit.
evidently, given the downvotes i am getting, people think exploit scripts should be enterprise quality code. ¯\_(ツ)_/¯ half of the reports i see flowing through mailing lists dont even have a poc.
amazingly HN-like to be upset about a variable name
akdev1l 5 hours ago [-]
Disagree because to run the PoC you really ought to understand what it’s doing.
And this code is not readable at all. It is failing at letting people confirm the exploit easily.
john_strinlai 5 hours ago [-]
>Disagree because to run the PoC you really ought to understand what it’s doing.
that is contained in the report, which will look similar to the blog. the maintainers will have an open line of contact with the reporters as well. the poc is a small part of the entire report. its not like the linux maintainers only received this poc and have to work out the vulnerability from it alone.
>It is failing at letting people confirm the exploit easily.
it confirms the exploit incredibly easy. just run it, and you get confirmation.
akdev1l 3 hours ago [-]
what the blog says and what the code does are two different things.
For all I know the blog itself is a honey pot. I need to know what the code does before I run it.
john_strinlai 2 hours ago [-]
>I need to know what the code does before I run it.
its literally code meant to exploit your system. you should be running it in an environment built for that already.
you dont test exploit pocs on your daily driver.
asdfaoeu 2 hours ago [-]
While your at it you can enter your credit card details to see if they've been leaked.
asdfaoeu 4 hours ago [-]
I don't anyone is saying it's not "enterprise" it's just that they clearly went out of their way to make it less readable. By all means advertise the golf'd line count but just have the non minified script.
Xirdus 6 hours ago [-]
I'd imagine that at minimum, the team in charge of patching the vulnerability would need to review how the exploit works.
john_strinlai 6 hours ago [-]
id imagine that they received more than just the poc in the report they received
Xirdus 5 hours ago [-]
That doesn't make reviewing the POC any less valuable.
john_strinlai 5 hours ago [-]
what value do you believe renaming the variable from "g" to something else provides the linux maintainers?
Xirdus 5 hours ago [-]
It makes the exploit code more readable. We all love to laugh at C folks but for real, even Linux kernel maintainers care about readability.
q3k 4 hours ago [-]
Quickly dove into this.
1. Yes, it's real.
2. Current chain can write any arbitrary content to any user-readable file (into the page cache).
3. Current chain relies on an available target suid binary that you can open() as a lowpriv user.
4. Current exploit relies on that binary being /bin/su and then being able to execve(/bin/sh, 0, 0) (which doesn't work on alpine, etc.). The former is easily replaced in the code. The latter needs a rebuilt payload ELF (also easy).
5. The authors say they have other chains (including ones that allow container escapes). I believe them.
6. A mildly de-minified PoC for Alpine with a new payload ELF is at hackerspace[pl]/~q3k/alpine.py . You'll need /bin/ping from iputils. This should be now somewhat reliable on any distro that has a `/bin/sh` and any setuid-and-readable binary (you'll just need to find it on your own).
q3k 3 hours ago [-]
And yeah, you can just change arbitrary instructions of any running process (including privileged) as long as you have read access to that process' binary:
It's certainly marketing, but it's prosocial: there's no scarcity of names, and "copy.fail" is much easier to remember and talk about than "CVE-2026-31431".
evanjrowley 7 hours ago [-]
The AI generated prose screams marketing. Marketing is why there's a "Contact our Security Team" form at the bottom of the page.
john_strinlai 7 hours ago [-]
can you remember what CVE-2021-44228 is without looking it up? CVE-2014-6271? CVE-2017-5753?
i bet if i told you their names, you would instantly know what vulns those are.
its easier to talk about things with names. it hurts no one. it takes approximately no effort or time.
CVEs are, for whatever reason, like the only thing on the planet that people seem to have a problem with when they receive a name. i am not sure why.
QuantumNomad_ 7 hours ago [-]
> CVEs are, for whatever reason, like the only thing on the planet that people seem to have a problem with when they receive a name. i am not sure why.
What, you guys talk about books based on their “title” instead of just memorising the ISBN of each book? Pssh, count me disappointed!
john_strinlai 7 hours ago [-]
after work i have to stop at Y87794H0US1R65VBXU25 for some groceries.
akerl_ 6 hours ago [-]
I only refer to my kids by their social security numbers until they do something suitably remarkable.
I guess it’s a good thing I’m not a SovCit or I’d just have to call them Traveller Three and Traveller Four
skilled 8 hours ago [-]
Probably to some extent it is marketing, but generally it has to do with significant bug finds to get the message out to the people who need to apply patches and/or be informed. Heartbleed, Log4Shell, etc.
Very few CVE’s get names dedicated to them like this, because usually when they do - it is very serious, as in this case.
eddythompson80 7 hours ago [-]
Giving catchy names for bad exploits has been a thing for a while. Probably to make sure it's easy to reference and make sure you're patches as opposed to passing numbers around. Heartbleed, Shellshock, BEAST, Goto Fail, etc
dgellow 7 hours ago [-]
Yes, originally it was to help spread awareness. Now it has become more of a gimmick I would say
ronsor 8 hours ago [-]
It makes sure people don't forget about the vulnerabilities, at least
Fuzzbit 8 hours ago [-]
Same reason they name storms, numbers scare normies
w2seraph 7 hours ago [-]
holy smokes it just rooted my just installed from ISO Ubuntu server
erans 5 hours ago [-]
For agents, if you are concerned about that, block access to "su" as it is interactive anyway. Not loading it into the memory will block the attack. If you are using AgentSH (https://www.agentsh.org) you can add a rule to block "su" and soon be able to block AF_ALG sockets if you want to further protect things.
tardedmeme 3 hours ago [-]
This vulnerability can affect any file you can read. The PoC uses "su" but any setuid binary or any binary that root invokes or is already running as root is vulnerable, as well as many configuration files.
On the downside, I need to push new kernels to all my servers.
On this bright side, does this mean Magisk is coming to all unpatched Android phones?
akdev1l 5 hours ago [-]
No, Android doesn’t have suid binaries to exploit like in the PoC
tardedmeme 3 hours ago [-]
The vulnerability can also be used on any binary that is already running as root and you can open for reading. So yes, any android app can now escalate to root if android has the vulnerable module.
userbinator 2 hours ago [-]
Unfortunately another comment thread here says that it doesn't.
kayson 3 hours ago [-]
s6-overlay is a popular container image base for many self hosted services, and it uses an suid binary for startup. I wonder if this could be used to escape the container?
TZubiri 48 minutes ago [-]
It looks like this is legit, but the script is very phishy and I wouldn't run it in unvirtualized or disposable systems.
This is not source code, this is binary, it's entirely possible that this contains a script that downloads another malicious script (or that simply contains the malicious commands)
That said, I understand why a terser script might have been prioritized.
EDIT: There's a couple of C ports in the comments that contain more details and no compressed payloads.
q3k 24 minutes ago [-]
> This is not source code, this is binary, it's entirely possible that this contains a script that downloads another malicious script (or that simply contains the malicious commands)
It doesn't, it's just a compressed ELF file that does setuid(0); execve(/bin/sh, 0, 0). You can just unzlib it and throw it in a disassembler.
Ekaros 7 hours ago [-]
So this could be usable in lot of places with Python and Linux running? Not that I have too many Linux devices around. Still, might be handy sometimes on personal devices.
kro 7 hours ago [-]
This can likely be shipped as binary code without dependencies like python, as the bug is in the kernel.
There's nothing specific about this related to Python, that's just demonstrating how it works.
This is usable anywhere on an affected Kernel version
firesteelrain 3 hours ago [-]
RHEL is listing this as fix deferred for RHEL 8 and 9.
krunck 6 hours ago [-]
Wow. I tried it on an old testing VM of Ubuntu 24.04 that had not been touched for a few months. Instant root with the bonus that any user that runs "su" gets root too.
I updated the VM thinking it would be fixed afterward. Nope.
akdev1l 5 hours ago [-]
You’d have to reinstall the su binary itself I guess
cyberpunk 5 hours ago [-]
It just changes the page cache for the su binary, a reboot will revert it.
majorchord 5 hours ago [-]
No need to reboot:
sync && echo 3 >/proc/sys/vm/drop_caches
chvish 5 hours ago [-]
Are kernel crypto modules even loaded by default on enterprise distros
ranger_danger 5 hours ago [-]
Attempting to open an AF_ALG socket will load the module on-demand if necessary.
DannyBee 2 hours ago [-]
I love how it says
"Standalone PoC. Python 3.10+ stdlib only (os, socket, zlib).
Targets /usr/bin/su by default; pass another setuid binary as argv[1]."
Except you can't pass another setuid binary as argv[1] because the AI writing this slop never added that feature to this python script.
I can't get it to work on any distro i've tried.
zdimension 4 hours ago [-]
Works on all my servers. This is terrifying.
aniou 6 hours ago [-]
Looks like a LLM hallucination - there is no thing like "RHEL 14.3", although referenced kernel signature (6.12.0-124.45.1.el10_1) contains reference to real RHEL release, i.e. 10.1.
jchw 3 hours ago [-]
I tried this on NixOS, but it doesn't seem to be easily reproducible. There's no /usr/bin/su - okay, fine: I changed it to /run/wrappers/bin/su, but that didn't work, and I think the reason why is because the NixOS suid wrappers have +x but not +r:
Not that this makes the underlying mechanism of the exploit any better, but I wonder what else you can do with it. Is there a way to target a suid binary that doesn't have +r? I guess all of the suid binaries necessarily don't, since the wrapper system doesn't grant it and you can't have suid binaries in the /nix/store.
I know it's also unrelated, but this is the most aggressively obvious LLM slop copy I've ever seen and it is a page with like 30 sentences. I guess we're just seriously doing this, huh?
dist-epoch 6 hours ago [-]
> Will you release the full PoC?
> Yes — it's on this page. We held it for a month while distros prepared patches; the major builds are out as of this writing.
There is no update available for Ubuntu 24, PoC works and just tried updating.
DetroitThrow 7 hours ago [-]
Despite the copy/images being weird about RHEL 14.3, this seems to work. Wow?
charcircuit 7 hours ago [-]
SUID binaries once again assisted a local privilege escalation attack. This is a major problem that distros can't keep ignoring.
marshray 3 hours ago [-]
There's a claim upthread that a straightforward variation works against /etc/passwd.
q3k 23 minutes ago [-]
You can also just use this to patch libc and turn close() into close-but-also-give-me-a-root-shell().
themafia 7 hours ago [-]
> If your kernel was built between 2017 and the patch
This is why I compile my own kernel. I disable things I don't use. If it's not present it can't hurt you.
> block AF_ALG socket creation via seccomp regardless of patch state.
Likewise I use seccomp to only allow syscalls that are necessary. Everything else is disabled. In the programs I have that need to connect to a backend socket, that is done, and then socket creation is disabled.
tosti 5 hours ago [-]
Any pointers on how to set that up? Like, run all the things through strace, cut the first field, sort, uniq, run through some template and something somesuch what how?
maxtaco 7 hours ago [-]
Use extreme caution running arbitrary code on your machines, especially obfuscated code that tickles kernel bugs! (edited)
stackghost 7 hours ago [-]
Analysis of the POC concurs with my tests that confirm that the portion of `su` that gets overwritten does not survive a reboot.
wang_li 5 hours ago [-]
it's living in your page cache, not on your disk. flush the caches and it'll disappear.
stackghost 3 hours ago [-]
Indeed. But it's easier to just kill a container or a k8s node and reprovision than to flush the caches
charcircuit 7 hours ago [-]
The page explicitly describes that it is stealthy as it does not make permanent changes, only corrupting the binary in memory.
scratchyone 5 hours ago [-]
unfortunately the page can also lie to you haha. it seems people have reviewed the code by now, but running suspicious shellcode you don't fully understand is never a great idea.
charcircuit 3 hours ago [-]
I personally had AI review the code, add comments, disassemble the shell code, etc.
scratchyone 3 hours ago [-]
that's quite smart. i was almost stupid enough to paste it into a terminal to check if it worked before deciding to wait and let others analyze it first haha
It does not behave as described on EndeavorOS (arch-based) running kernel 6.19.14-arch1-1. I receive the error:
Password: su: Authentication token manipulation error
I'm guessing this means it's already patched?
john_strinlai 7 hours ago [-]
yes, it was reported on march 23rd, patches on april 1.
you are reading about it now because it has been patched.
marshray 7 hours ago [-]
No it hasn't.
Ubuntu before 26.04 LTS (released a week ago) are currently listed as vulnerable.
Debian other than forky and sid are currently listed as vulnerable.
This is a disgrace.
john_strinlai 7 hours ago [-]
Disclosure timeline
2026-03-23Reported to Linux kernel security team
2026-03-24Initial acknowledgment
2026-03-25Patches proposed and reviewed
2026-04-01Patch committed to mainline
2026-04-22CVE-2026-31431 assigned
2026-04-29Public disclosure (https://copy.fail/)
kernel 6.19.14-arch1-1, the kernel in question from the parent comment, has been patched.
marshray 5 hours ago [-]
The lesson here being... compile your own kernel from git sources every few days?
Give up entirely on non-virtualized container security?
This is not sarcasm. I'd finally given in and started learning about docker/podman-style OCI containerization last week.
john_strinlai 5 hours ago [-]
in this specific case, they offer an alternative mitigation if your chosen distro has not updated yet:
For immediate mitigation, block AF_ALG socket creation via seccomp or blacklist the algif_aead module:
I'd do 'umask 133' in front of the echo out of paranoia.
Out of curiosity, was the asterisk after '2>/dev/null' intentional? I had not seen that idiom before.
john_strinlai 5 hours ago [-]
the asterisk is my oops, trying to format the comment in italics to differentiate my comment from the text provided by the author. sorry for the confusion
ranger_danger 5 hours ago [-]
And I would do chattr +i disable-algif.conf
x4132 1 hours ago [-]
are you sure containerization would be more secure? this is also a rootless podman escape. the lesson here is to not give random people shell access to your systems.
dimastopel 7 hours ago [-]
same result on my arch machine as well.
eaf7e281 4 hours ago [-]
I'm impressed that such a serious problem popped up out of nowhere.
In my opinion, this mostly affects countries that are still using outdated systems, especially critical systems.
This gives bad actors a direct route to the root. Having an easily accessible root is not funny.
pixel_popping 5 hours ago [-]
Yet, some people will still continue to say that "AI" isn't ready to replace (or strongly assist) our workflows, sure, some of the best humans devs left a vulnerability that serious (It's extremely serious, so many container as a service are vulnerable) for 9 years and an agent found it in 1 hour, maybe it's time to wake up and accept that it's UNSAFE to not use AI for security review as well?
collinmcnulty 5 hours ago [-]
A human security researcher found the core issue and an agent searched for where to apply it. I don’t think “an agent found it in one hour” is a fair summary of what happened.
marshray 3 hours ago [-]
"The starting insight — that splice() hands page-cache pages into the crypto subsystem and that scatterlist page provenance might be an under-explored bug class — came from human research by Taeyang Lee at Xint.
From there, Xint Code scaled the audit across the entire crypto/ subsystem in roughly an hour. Copy Fail was the highest-severity finding in the run."
So, if anything, this might argue against the presence of huge quantities of high-severity bugs in this part of the Linux kernel (that could be found by "Xint Code"-class scanning systems).
pixel_popping 5 hours ago [-]
I was a bit rough, agreed, but the overall point is still correct, I kinda want to emphasize that I've also ran hundred of loops recently (combination of opus-4.6/gpt-5.4/gemini-3.1-pro-preview) toward a Rust codebase that we manage and that we deemed secure after many audits and found 2 serious issues as well in it, this was also audited externally by a third party that we've paid, which makes me genuinely scared of releasing anything without deep AI verification nowadays.
Anybody has the same feeling?
Rendered at 02:06:47 GMT+0000 (Coordinated Universal Time) with Vercel.
The algorithm being used in this exploit, "authencesn", is even an IPsec implementation detail, which never should have been exposed to userspace as a general-purpose en/decryption API.
If you're in charge of the configuration for a Linux kernel, I strongly recommend disabling all CONFIG_CRYPTO_USER_API_* kconfig options. This would have made this bug, and also every past and future AF_ALG bug, unexploitable. In the unlikely event that you find that it breaks any userspace programs on your system, please help migrate them to userspace crypto code! For some it's already been done. But in general, AF_ALG has actually never been used much in the first place, other than in exploits.
I don't think there's much other option. This sort of userspace API might have been sort of okay many years ago. But it just doesn't stand up in a world with syzbot, LLM-assisted bug discovery, etc.
https://www.chronox.de/libkcapi/html/ch01s02.html
It states the following:
> There are several reasons for AF_ALG:
> * The first and most important item is the access to hardware accelerators and hardware devices whose technical interface can only be accessed from the kernel mode / supervisor state of the processor. Such support cannot be used from user space except through AF_ALG.
> * When using user space libraries, all key material and other cryptographic sensitive parameters remains in the calling application's memory even when the application supplied the information to the library. When using AF_ALG, the key material and other sensitive parameters are handed to the kernel. The calling application now can reliably erase that information from its memory and just use the cipher handle to perform the cryptographic operations. If the application is cracked an attacker cannot obtain the key material.
> * On memory constrained systems like embedded systems, the additional memory footprint of a user space cryptographic library may be too much. As the kernel requires the kernel crypto API to be present, reusing existing code should reduce the memory footprint.
I can't judge whether this is a good justification, but there is one.
So grain of salt.
I've liked it nevertheless for context, as augmentation to parent's post.
Would be an interesting story.
I think cryptsetup / LUKS also requires it with some non-default options. With the default options, it works fine with the kconfigs disabled.
There's not much else, as far as I know. Normally programs just use a userspace library instead, such as OpenSSL.
https://access.redhat.com/security/cve/cve-2026-31431 "Moderate severity", "Fix deferred"
https://security-tracker.debian.org/tracker/CVE-2026-31431
https://ubuntu.com/security/CVE-2026-31431
https://www.suse.com/security/cve/CVE-2026-31431.html
https://ubuntu.com/security/cves/about#priority
> Medium: A significant problem, typically exploitable for many users. Includes network daemon denial of service, cross-site scripting, and gaining user privileges.
> High: A significant problem, typically exploitable for nearly all users in a default installation of Ubuntu. Includes serious remote denial of service, local root privilege escalations, local data theft, and data loss.
This stance doesn't seem sustainable any more to me.
The stance was never sustainable, hence linux LPEs being constantly available. The solution is to treat your kernel as impossible to secure. Notably, gvisor users are not impacted by this CVE. Seccomp also kills this CVE.
I was wondering if I was vulnerable running Fedora 44, kernel 6.19.14, and after a few minutes of digging I was able to find the linux-cve-announce mailing list post: https://lore.kernel.org/linux-cve-announce/2026042214-CVE-20... which says:
Hope that helps.Too many darn acronyms. This one wasn't too hard to figure out from context but I wish people would define acronyms before using them!
I agree that it would be a good idea to define it explicitly when writing for a broader audience, but I don't think it's particularly egregious that they didn't. It's certainly something I could see myself forgetting.
Then again, the whole writeup appears to be AI-generated, so...
wow
Imagine we would download random code from the internet and just execute it, like with NPM, PIP, Maven, Cargo etc.
https://github.com/anthropics/claude-code/issues/40741 (gcc version "Red Hat 14.3" included in system version at the bottom)
https://docs.oracle.com/en/database/oracle/tuxedo/22/otxig/s...
Why marketing though?
Indeed. "Distributions we directly verified: RHEL 14.3". Directly verified by me to be AI slop (the release page at least).
https://access.redhat.com/articles/red-hat-enterprise-linux-...
> Talk to our security experts
(at the bottom of the page)
I have a sneaking suspicion his first name is Claude. Don't get me wrong though, he is pretty good I hear.
It's ironic that the one thing LLMs can't do reliably in this space is "write copy for humans" (I don't trust them for that either).
Kind of funny to do something impressive and then ignore the details on the presentation, but perhaps that's not uncommon for security researchers?
So here the next-best thing I found: Disable AF_ALG via systemd. Needs drop-ins for all exposed services. Here an Ansible playbook that covers ssdh and user@, which are the main ones usually.
https://gist.github.com/m3nu/c19269ef4fd6fa53b03eb388f77464d...
`/etc/systemd/system/service.d/${...}.conf`
I think this is what you're looking for.
I ran the exploit in rootless Podman, and predictably it doesn't escape the container.
They also claim their script "roots every Linux distribution shipped since 2017.", but only tested four; and it doesn't work on Alpine
they state that the write-up is forthcoming. presumably there is some additional steps or modifications that will be detailed in the 'part 2'.
"Next: "From Pod to Host," how Copy Fail escapes every major cloud Kubernetes platform."
The details will depend on whether the kernel is a newer release or a maintenance version of an older release.
They've done themselves no favours at all with their write up.
It does seem legitimate (I was able to use the PoC on a 24.04 instance), and seems like it should be a big deal, but the actual number of affected distributions seems way lower, and not even remotely as per their claim every distribution since 2017.
For example with Ubuntu, if I'm reading it right there's some impact in 16.04 (EOL), but then at least as per their analysis, only the vendor specific 6.17 kernels they ship that have it (e.g. linux-gcp, linux-oracle-6.7 etc.). That's a relatively new kernel version they started shipping recently, after it was released upstream last September.
>Shared dev boxes, shell-as-a-service, jump hosts, build servers — anywhere multiple users share a kernel. any user becomes root
jumped out of bed and went straight into webminal.org servers as local user and ran the python code. It says permission denied on sock() call.
Then I tested with local laptop with it:
```
$ uname -a
Linux debian 6.12.43+deb12-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.43-1~bpo12+1 (2025-09-06) x86_64 GNU/Linux
$ python3 copy_fail_exp.py
# cd /root && ls
bluetooth_fix_log.txt dead.letter overcommit_memorx~ overcommit_memory~ overcommit_memorz~ resize.txt snap
```
It does provide the root access!
> Update your distribution's kernel package to one that includes mainline commit a664bf3d603d
But it isn't very clear to me what Kernel version you can expect that to be in. For Arch/CachyOS, the patch seems to be included in 6.18.22+, 6.19.12+ and 7.0+. If you're on any of the lower versions in the same upstream stable series, you're likely vulnerable right now. Some distro kernels may include the fix in other versions, so check for your distribution.
https://github.com/torvalds/linux/commit/a664bf3d603d
6.18.25-gentoo-x86_64 has the patch for Gentoo.
https://security-tracker.debian.org/tracker/CVE-2026-31431
https://ubuntu.com/security/CVE-2026-31431
Also, disabling algif_aead is suggested as mitigation
> Before you can patch: disable the algif_aead module.
> echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
> rmmod algif_aead 2>/dev/null || true
Edit: and I can confirm that on my system with kernel 6.19.8 the above fixes the exploit.
Outside of WSL2, the mitigation does appear to work though.
The mystery is why.
[0] https://rkeene.org/viewer/tmp/copy_fail_exp.c.htm
EDIT: Sorry, I failed at reading your message. Never mind.
Think modifying shared libraries, ld preload, cron, I guess on some systems /etc/passwd even.
There are a lot of files readable that should definitely not be writable.
https://xint.io/blog/copy-fail-linux-distributions
Got:
I guess AF_ALG is not part of the Arch Linux LTS kernel?Edit:
Looks like on Arch you have to go out of your way to have this enabled.
Does this mean you can go from a basic web shell from a shared hosting account to root? I can see how that could wreak havoc really quickly.
https://security-tracker.debian.org/tracker/CVE-2026-31431
You can also call it Debian 13.
Anyone who knows anything about this subject immediately understands what is connoted by "Debian Stable". I run Trixie on most of my personal boxes and I had no idea what version number it is, nor do I particularly care.
It's not that hard to find though:
https://github.com/bottlerocket-os/bottlerocket/security/adv...
Interesting detail. On Alpine, `/usr/bin/su` is not readable by any user, so the PoC doesn't work.
I suspect that the underlying issue can be exploited in other ways, but it makes me think that there's no reason for any suid binary to be world-readable.
Unfortunately it fails on calling bind() on my device, so probalby Android doesn't ship with that kenrel module by default :(. So no freedom for my $40 phone.
Putting it out here, maybe somebody else will have better luck.
[1] https://gist.github.com/alufers/921cd6c4b606c5014d6cc61eefb0...
Traceback (most recent call last): File "/data/data/com.termux/files/home/exploit.py", line 8, in <module> f=g.open("/usr/bin/su",0);i=0;e=zlib.decompress(d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3")) ^^^^^^^^^^^^^^^^^^^^^^^ FileNotFoundError: [Errno 2] No such file or directory: '/usr/bin/su'
Traceback (most recent call last): File "/data/data/com.termux/files/home/exploit.py", line 9, in <module> while i<len(e):c(f,i,e[i:i+4]);i+=4 ^^^^^^^^^^^^^^^ File "/data/data/com.termux/files/home/exploit.py", line 5, in c a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=279;v=a.setsockopt;v(h,1,d('0800010000000010'+'0'64));v(h,5,None,4);u,_=a.accept();o=t+4;i=d('00');u.sendmsg([b"A"4+c],[(h,3,i4),(h,2,b'\x10'+i19),(h,4,b'\x08'+i*3),],32768);r,w=g.pipe();n=g.splice;n(f,w,o,offset_src=0);n(r,u.fileno(),o) ^^^^^^^^^^^^^^^^ File "/data/data/com.termux/files/usr/lib/python3.12/socket.py", line 233, in __init__ _socket.socket.__init__(self, family, type, proto, fileno) PermissionError: [Errno 13] Permission denied
Not using setuid anywhere means you'd have to build a slightly more clever exploit, but it's still trivial - just modify some binary you know will run as root "soon".
But... I didn't check, but IIRC the untrusted_app secontext that apps run in is not allowed to open AF_ALG sockets - so you can't directly trigger the vulnerability as a malicious app. Although it might be possible in some roundabout way (requesting some more privileged crypto service to do so).
~~My allegedly fully patched pixel 8 pro allowed an AF_ALG socket to open under termux without virtualization so I'm not sure the last but is true~~
Looking at their source code [1] it starts with this simple line:
import os as g,zlib,socket as s
And already I'm perplexed. "os as g"? but we're not aliasing "zlib as z"? Clearly this is auto-generated by some kind of minimizer? Likely because zlib is called only once, and os multiple times. As a code author/reviewer, I would never write "os as g" and I would absolutely never approve review of any code that used this.
Anyway, I could go on. :) Let's just stop fetishizing byte count
[1] https://github.com/theori-io/copy-fail-CVE-2026-31431/blob/m...
If you wanted real savings, you'd use "d=bytes.fromhex" instead of defining a function -- 17 bytes!! And d('00') -> b'\0' for -2 bytes.
We could easily get the byte count down further by using base64.b85decode instead of bytes.fromhex (-70 or so), but ultimately we're optimizing a meaningless metric, as you mention.
Where do you see this "fetishizing" happening most often? It's a strange thing to counter-fetishize about.
From a Busy Beaver, 256-bytes compo, or Dwitter perspective, 732 bytes isn’t really that meaningful.
And the sample exploit is even optimizing the byte size by using zlib compression, which doesn’t make much sense for the purpose. It just emphasizes the byte count fetishization.
But the fact that it's not a kernel-exec LPE and it's reliable across kernels and distributions is important; it's close to the maximum "exploitability" you're going to see with an LPE. Which the page does communicate effectively; it just gilds the lily.
But the bug is real and people should patch :)
For the size: sometimes people will shove in kilobytes of offset tables or something into an exploit, so it'll fingerprint and then look up details to work. This is much smaller because it doesn't need any of that, which is important for severity. (I agree the "golf" nature is a bit of an aside, kind of like pwn2own exploits taking "10 seconds")
Assuming AI was correct, it unpacks more or less like this
import os, zlib, socket
AF_ALG = 38
SOCK_SEQPACKET = 5
SOL_ALG = 279
def hex_bytes(x):
def trigger(fd, offset, patch4): target = os.open("/usr/bin/su", os.O_RDONLY)payload = zlib.decompress(bytes.fromhex("..."))
offset = 0
while offset < len(payload):
os.system("su")"The honest solution: a clean 50-line cut" and so on, ad nauseam
How often do you review, and subsequently block the release, of PoCs in this sort of context? Sounds like you've faced this a lot.
I always thought code quality mattered less in those, as long as you communicate the intent.
If you have a choice between pointing out the byte size of the exploit, and not pointing out the byte size of the exploit, pointing it out is virtually always the wrong choice.
In both cases, doing the right thing is less work. So somebody is going the extra way to ensure they are doing it wrong. If they didn't care, they'd end up doing it right by default.
How does "import os as g" communicate the intent? How does hiding the payload behind zlib communicate the intent? This is the opposite: obfuscating the intent, so they can brag about 732 bytes instead of 846 bytes (or whatever it might have been).
It would have been less work for everyone involved to just release the unminified source.
"Just" is doing a lot of work there, I'm so annoyed reading it.
It's like an anti-ad and they had pretty cool material to work with.
* Claude loves stacatto "Some numeric figure. Something else. Intensifier" (ex. the "exploitable for a decade." or whatever sentences)
Then go on. zlib is only used once, so "zlib as z" in exchange for using z once doesn't get you anything. Using os directly and not renaming it g saves you 2 bytes though. But in this age where AI outputs reams of code at the drop of a hat, why shouldn't we enjoy how small you can get it to pop a root shell?
https://gist.github.com/fragmede/4fb38fb822359b8f5914127c2fe...
edit: If we drop offset_src=0 and just pass in 0 positionally, it comes down to 720.
Because I want to know what the exploit is doing and how it works, and if it's even safe to run.
A privesc PoC is NOT the place for this kind of fun.
Which I guess is true but I would like to verify the attack is the intended one
lucky for them, its an exploit script, not enterprise code.
all that needs to be "reviewed" is whether or not it exploits the thing its supposed to.
edit: yall really think a 10-line proof of concept script needs to undergo a code review? wild. i shouldnt be surprised that the top comment on a cool LPE exploit is complaining about variable naming
Maybe you didn't care, but the length of this comment chain clearly shows that it matters. Effective communication is just as important as the engineering.
i just dont understand huffing and puffing over "os as g" in a 10-line poc script, and saying "well i would never approve this". its not enterprise code. its not code that will ever be used anywhere else, for anything. its sole purpose is to prove that the exploit is real, which it does!
the rest of the information is in the actual vulnerability report. the poc is a courtesy to the reportee, so that they can confirm that the report itself isnt bullshit.
evidently, given the downvotes i am getting, people think exploit scripts should be enterprise quality code. ¯\_(ツ)_/¯ half of the reports i see flowing through mailing lists dont even have a poc.
amazingly HN-like to be upset about a variable name
And this code is not readable at all. It is failing at letting people confirm the exploit easily.
that is contained in the report, which will look similar to the blog. the maintainers will have an open line of contact with the reporters as well. the poc is a small part of the entire report. its not like the linux maintainers only received this poc and have to work out the vulnerability from it alone.
>It is failing at letting people confirm the exploit easily.
it confirms the exploit incredibly easy. just run it, and you get confirmation.
For all I know the blog itself is a honey pot. I need to know what the code does before I run it.
its literally code meant to exploit your system. you should be running it in an environment built for that already.
you dont test exploit pocs on your daily driver.
1. Yes, it's real.
2. Current chain can write any arbitrary content to any user-readable file (into the page cache).
3. Current chain relies on an available target suid binary that you can open() as a lowpriv user.
4. Current exploit relies on that binary being /bin/su and then being able to execve(/bin/sh, 0, 0) (which doesn't work on alpine, etc.). The former is easily replaced in the code. The latter needs a rebuilt payload ELF (also easy).
5. The authors say they have other chains (including ones that allow container escapes). I believe them.
6. A mildly de-minified PoC for Alpine with a new payload ELF is at hackerspace[pl]/~q3k/alpine.py . You'll need /bin/ping from iputils. This should be now somewhat reliable on any distro that has a `/bin/sh` and any setuid-and-readable binary (you'll just need to find it on your own).
https://object.ceph-waw3.hswaw.net/mastodon-prod/media_attac...
i bet if i told you their names, you would instantly know what vulns those are.
its easier to talk about things with names. it hurts no one. it takes approximately no effort or time.
CVEs are, for whatever reason, like the only thing on the planet that people seem to have a problem with when they receive a name. i am not sure why.
What, you guys talk about books based on their “title” instead of just memorising the ISBN of each book? Pssh, count me disappointed!
I guess it’s a good thing I’m not a SovCit or I’d just have to call them Traveller Three and Traveller Four
Very few CVE’s get names dedicated to them like this, because usually when they do - it is very serious, as in this case.
On this bright side, does this mean Magisk is coming to all unpatched Android phones?
https://github.com/theori-io/copy-fail-CVE-2026-31431/blob/m...
>zlib.decompress(d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))
This is not source code, this is binary, it's entirely possible that this contains a script that downloads another malicious script (or that simply contains the malicious commands)
That said, I understand why a terser script might have been prioritized.
EDIT: There's a couple of C ports in the comments that contain more details and no compressed payloads.
It doesn't, it's just a compressed ELF file that does setuid(0); execve(/bin/sh, 0, 0). You can just unzlib it and throw it in a disassembler.
This is usable anywhere on an affected Kernel version
sync && echo 3 >/proc/sys/vm/drop_caches
Except you can't pass another setuid binary as argv[1] because the AI writing this slop never added that feature to this python script.
I can't get it to work on any distro i've tried.
I know it's also unrelated, but this is the most aggressively obvious LLM slop copy I've ever seen and it is a page with like 30 sentences. I guess we're just seriously doing this, huh?
> Yes — it's on this page. We held it for a month while distros prepared patches; the major builds are out as of this writing.
There is no update available for Ubuntu 24, PoC works and just tried updating.
This is why I compile my own kernel. I disable things I don't use. If it's not present it can't hurt you.
> block AF_ALG socket creation via seccomp regardless of patch state.
Likewise I use seccomp to only allow syscalls that are necessary. Everything else is disabled. In the programs I have that need to connect to a backend socket, that is done, and then socket creation is disabled.
Password: su: Authentication token manipulation error
I'm guessing this means it's already patched?
you are reading about it now because it has been patched.
Ubuntu before 26.04 LTS (released a week ago) are currently listed as vulnerable.
Debian other than forky and sid are currently listed as vulnerable.
This is a disgrace.
Give up entirely on non-virtualized container security?
This is not sarcasm. I'd finally given in and started learning about docker/podman-style OCI containerization last week.
For immediate mitigation, block AF_ALG socket creation via seccomp or blacklist the algif_aead module:
I'd do 'umask 133' in front of the echo out of paranoia.
Out of curiosity, was the asterisk after '2>/dev/null' intentional? I had not seen that idiom before.
In my opinion, this mostly affects countries that are still using outdated systems, especially critical systems.
This gives bad actors a direct route to the root. Having an easily accessible root is not funny.
So, if anything, this might argue against the presence of huge quantities of high-severity bugs in this part of the Linux kernel (that could be found by "Xint Code"-class scanning systems).
Anybody has the same feeling?