Linux vulnerability "Copy Fail" is already being attacked
The Linux "Copy Fail" vulnerability, which grants attackers root privileges, became known before the weekend. It is already being attacked.
(Image: Tux by Larry Ewing/GIMP)
Just before the long weekend, the Linux security vulnerability “Copy Fail” became known. If attackers exploit it, they can gain root privileges on most major Linux distributions since 2017 in their default installations. And they are now doing so.
The US-American IT security authority CISA is currently warning about misuse of the vulnerability in the wild. It summarizes the vulnerability with the description “Linux Kernel Security Vulnerability due to Improper Resource Transfer Between Spheres” (CVE-2026-31431, CVSS 7.8, Risk “high”). Several versions of proof-of-concept exploit code are now available online.
Install Updates Now
Updated Linux source code has been available for about two weeks. Greg Kroah-Hartman has announced the first patches for kernels 6.18.22, 6.19.12, and 7.0 and has indicated further backports. Most Linux distributions now also offer corrected installation packages. IT managers should download and install them quickly.
Videos by heise
The vulnerability was discovered by IT researchers with the help of AI. They used Xint code for this. Linux therefore contains a logic error that allows local users in the system to perform deterministic, controlled 4-byte write access to the page cache of any readable file system on a computer. With a Python script of 732 bytes, the researchers manage to manipulate a binary file with the setuid flag and thereby gain root privileges. The whole thing happens in the page cache without leaving any traces on the drive, for example. Since the page cache is shared by the host, attackers can not only gain root privileges but also break out of containers, for example.
(dmk)
