Copy.Fail Linux Vulnerability

This is the worst Linux vulnerability in years.

TL;DR

  • copy.fail is a Linux kernel local privilege escalation, not a browser or clipboard attack. Disclosed by Theori on 29 April 2026 with a working PoC.
  • It abuses the kernel crypto API (AF_ALG sockets) plus splice() to write four bytes at a time straight into the page cache of a file the attacker does not own.
  • The exploit works unmodified across Ubuntu, RHEL, Debian, SUSE, Amazon Linux, Fedora and most others. No race condition, no per-distro offsets.
  • The file on disk is never modified. AIDE, Tripwire and checksum-based monitoring see nothing.
  • Kubernetes Pod Security Standards (Restricted) and the default RuntimeDefault seccomp profile do not block the syscall used. A custom seccomp profile is needed.
  • The mainline fix landed on 1 April. Distros are rolling kernels out now. Patch.

“Local privilege escalation” sounds dry, so let me unpack it. It means: an attacker who already has some way to run code on the machine, even as the most boring unprivileged user, can promote themselves to root. From there they can read every file, install backdoors, watch every process, and pivot to other systems.

Why does that matter on shared infrastructure? Because “local” covers a lot of ground in 2026: every container on a shared Kubernetes node, every tenant on a shared hosting box, every CI/CD job that runs untrusted pull-request code, every WSL2 instance on a Windows laptop, every containerised AI agent given shell access. They all share one Linux kernel with their neighbours. A kernel LPE collapses that boundary.

News article.

Tags: , ,

Posted on May 12, 2026 at 7:06 AM4 Comments

Comments

DEclare Shreiners & Freemasons Terrorist Organisations May 12, 2026 9:17 AM

Shriners in Boise Idaho Ramajla Duratovic, Christina Martinez (real estate agent), as well as the following loyaz: Jonathan Loschi, Kendra Nagy, John Prior, Raymond Schild, and Charles Crafts have taken bribes from criminals and have covered up an attempted murder and have misrepresented their client in a lawsuit while selling him out behind his back.
They must be DISBARRED YESTERDAY, and then locked up.
These MONSTERS MUST BE LOCKED UP for covering up an attempted murder while helping turn the real victim into a Felon.

Read all about it here:

s

h

o

r

t

u

r

l

.

a

t

/

S

z

D

9

6

Copy the above link into your browser’s address bar to see how a bunch of MONSTERS DISGUISED AS HUMANS, have managed to DELIBERATELY AND INTENTIONALLY DESTROY AN
INNOCENT AMERICAN, CHRISTIAN FAMILY.

Rontea May 12, 2026 9:53 AM

This is why local privilege escalations should never be dismissed as low priority. In today’s computing environment, “local” is a misleading term. Every container on a shared Kubernetes cluster, every CI/CD job running untrusted code, and every multi-tenant host provides attackers with the local foothold they need. Once they have that, a reliable kernel LPE like CopyFail collapses the isolation assumptions that modern infrastructure depends on.

Incidents like this reinforce an old lesson: security isn’t just about fixing vulnerabilities, it’s about the system of trust and timing around disclosure and patching. Until that improves, we’ll continue to see what should be minor footholds turn into systemic breaches.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.