Copy.Fail Linux Vulnerability

This is the worst Linux vulnerability in years.

TL;DR

  • copy.fail is a Linux kernel local privilege escalation, not a browser or clipboard attack. Disclosed by Theori on 29 April 2026 with a working PoC.
  • It abuses the kernel crypto API (AF_ALG sockets) plus splice() to write four bytes at a time straight into the page cache of a file the attacker does not own.
  • The exploit works unmodified across Ubuntu, RHEL, Debian, SUSE, Amazon Linux, Fedora and most others. No race condition, no per-distro offsets.
  • The file on disk is never modified. AIDE, Tripwire and checksum-based monitoring see nothing.
  • Kubernetes Pod Security Standards (Restricted) and the default RuntimeDefault seccomp profile do not block the syscall used. A custom seccomp profile is needed.
  • The mainline fix landed on 1 April. Distros are rolling kernels out now. Patch.

“Local privilege escalation” sounds dry, so let me unpack it. It means: an attacker who already has some way to run code on the machine, even as the most boring unprivileged user, can promote themselves to root. From there they can read every file, install backdoors, watch every process, and pivot to other systems.

Why does that matter on shared infrastructure? Because “local” covers a lot of ground in 2026: every container on a shared Kubernetes node, every tenant on a shared hosting box, every CI/CD job that runs untrusted pull-request code, every WSL2 instance on a Windows laptop, every containerised AI agent given shell access. They all share one Linux kernel with their neighbours. A kernel LPE collapses that boundary.

News article.

Tags: , ,

Posted on May 12, 2026 at 7:06 AM33 Comments

Comments

Rontea May 12, 2026 9:53 AM

This is why local privilege escalations should never be dismissed as low priority. In today’s computing environment, “local” is a misleading term. Every container on a shared Kubernetes cluster, every CI/CD job running untrusted code, and every multi-tenant host provides attackers with the local foothold they need. Once they have that, a reliable kernel LPE like CopyFail collapses the isolation assumptions that modern infrastructure depends on.

Incidents like this reinforce an old lesson: security isn’t just about fixing vulnerabilities, it’s about the system of trust and timing around disclosure and patching. Until that improves, we’ll continue to see what should be minor footholds turn into systemic breaches.

Anonymous May 12, 2026 1:06 PM

When a piece of software grows as big and complex as modern kernels and web browsers, can it ever be fully secured? How many bugs are hiding in its millions of lines of code? Hundreds, thousands?

  • First there was the assembler to write the machine code for us.
  • Then there was the compiler to write the assembly.
  • Now it’s finally time for AI to write the source code.

Good riddance to human programmers, the blacksmiths of buggy code.

lurker May 12, 2026 1:32 PM

The interesting part about this story is

… the embargo had been broken due to external factors …

Security is about trust. Vulnerabilities occurr when trust is not properly written in machine code. Current LLMs cannot know the meaning of trust, and have demonstrated that they cannot be trusted.

A broken embargo is another form of trust failure, similar to the trust failure that turns a vulnerability into an exploit.

lurker May 12, 2026 1:41 PM

Errmm, trust vs, stupid …
The broken embargo refers to Dirty-Frag.
“Zero-day patch gap” is the term used for Copy-Fail.
I suspect both might be in the same class of trust failure.

Clive Robinson May 12, 2026 1:59 PM

@ Anonymous,

With regards,

“When a piece of software grows as big and complex as modern kernels and web browsers, can it ever be fully secured? “

The simple answer is “Yes” but…

It has to be sufficiently segregated not just from “external attackers” but “internal users” and the like.

To do this sensibly requires either “total segregation” or rather more than “air gapping”.

It was noted way back before anyone here was out of diapers that,

“For a computer to be useful it needs to be able to communicate.”

Thus the real questions are thus communicate to whom, how, and where they are…

Which is generally problematical to talk about.

Which is why I’ve talk about and still do,

1, Energy Gapping.
2, Fully mandated gap crossing.

As these represent the higher water marks of gapping a computer for security against “outside attackers”.

Note I do not talk about “insider attacks” even though they are directly or indirectly the cause of most successful security attacks on computers.

Whilst there are things that can be done about “Insider Attacks” like SE-Linux etc they generally are either not done or done insufficiently…

Which is the case with both the current attacks being talked about.

The second arriving in public over the weekend,

‘Dirty Frag’ Linux flaw one-ups CopyFail with no patches and public root exploit

Broken disclosure embargo left admins facing a fresh root-level flaw with no CVE

A fresh Linux privilege escalation bug dubbed “Dirty Frag” has dropped into the wild with no patches, no CVE, and a public exploit that hands attackers root access across major distributions.

Security researcher Hyunwoo Kim disclosed the local privilege escalation flaw on Friday after what he said was a broken embargo forced the issue into the open.

Kim described Dirty Frag as a “universal LPE” affecting “all major distributions” and warned that it delivers the same kind of immediate root access as the recent CopyFail mess – only this time, defenders do not even have patches to throw at the problem.

“As with the previous Copy Fail vulnerability, Dirty Frag likewise allows immediate root privilege escalation on all major distributions,” Kim said. “Because the responsible disclosure schedule and embargo have been broken, no patches exist for any distribution.”

https://www.theregister.com/security/2026/05/08/dirty-frag-linux-flaw-one-ups-copyfail-with-no-patches-and-public-root-exploit/5237230

Worryingly due to both –actualky three– vulnerabilities being disclosed before patches are even close, there has been “a knee jerk suggestion” in the Linux Kernal Development Space of,

Linux kernel maintainers pitch emergency killswitch after CopyFail and Dirty Frag chaos

Instead of waiting for patch cycles, admins could simply shut down vulnerable functions before attackers get there

Linux kernel maintainers are considering giving admins a giant red emergency button to smash the next time another nasty vulnerability drops before patches are ready.

The proposed feature, named “Killswitch,” would let admins temporarily disable specific vulnerable kernel functions at runtime instead of sitting around waiting for fixes. The so-called patch was submitted by Linux stable kernel co-maintainer and Nvidia engineer Sasha Levin after a bruising couple of weeks for Linux security.

The proposal basically gives admins a way to pull the plug on vulnerable kernel functionality. If exploit code starts spreading before patches arrive, the targeted function can be disabled so calls to it immediately fail instead of reaching the vulnerable code.

“When a (security) issue goes public, fleets stay exposed until a patched kernel is built, distributed, and rebooted into,” Levin wrote. “For many such issues the simplest mitigation is to stop calling the buggy function. Killswitch provides that.”

The past couple of weeks have not exactly been great advertising for the traditional “wait for patches” approach.

https://www.theregister.com/oses/2026/05/11/linux-kernel-maintainers-pitch-emergency-killswitch-after-copyfail-and-dirty-frag-chaos/5237801

For a whole load of reasons this “killswitch” idea is not actually a good one, even though it sounds alluring.

Hmmm May 12, 2026 2:19 PM

Someone more intelligent than me:

Android is based upon Linux so do these bugs impact android too?

turns off pain May 12, 2026 3:39 PM

How funny.

I had just switched to FreeBSD and a few days later boom the news of this exploit for Linux. (and others)

I’m playing with OpenBSD, too, like Fuguita which is an OpenBSD LiveCD/USB.

I think I’m pretty much done with Linux, for the most part. It’s bloated and too tied to corporations like the Microsoft Foundation (Linux Foundation).

M$ already has their hooks in Debian, now they’re moving to Fedora.

BSD is a land of sanity in a mad world.

AlaSpeNor May 12, 2026 3:53 PM

@Hmmm – probably, but the impact might actually be lower. Since Android devices are full of holes anyway, what’s another kernel privilege exploit? For one thing, those devices are generally single-user, which helps a bit, since the issue of multiple untrusted users (like on a shared machine running VMs) doesn’t arise so much. But there are doubtless other ways in which it’s bad.

Mr. Peed Off May 12, 2026 9:59 PM

In addition to Linux 7.0.6 stable, the Linux 6.18.29 LTS kernel was also released today with the sole change being this same patch from Hyunwoo Kim for resolving Dirty Frag.

More background information on Dirty Frag and some temporary workarounds for bypassing this vulnerability can be found via the Dirty Frag GitHub repository.

https://www.phoronix.com/news/Linux-7.0.6-Released

ForUbuntu May 12, 2026 10:06 PM

For Ubuntu…

https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available

“A local privilege escalation (LPE) vulnerability affecting the Linux kernel has been publicly disclosed on April 29, 2026.”

Ubuntu response URL is dated “30 April 2026”.

Impressive response time given embargo was broken…

Other linux distros no doubt have their own similar (or identical) mitigations… (As discussed on Slashdot.)

We’re in wild-west type days now with AI finding bugs. A rough ride for the moment. But later on, we’ll be in a much safer place…

Weather May 13, 2026 12:57 AM

@All

Normally the company doesn’t pay bounty, so you give it to them about, they work on a patch, pretending they will soon pay you.

The person that found it, probably won’t go to any bug bounty program again, and just give it to black hats for free.

Dave May 13, 2026 2:03 AM

@Rontea: This is why local privilege escalations should never be dismissed as low priority.

It’s still low-priority on a single-user machine: Desktop/laptop use, IoT, non-shared servers, etc.

Or another way of looking at it is with the aphorism that a shared/multiuser machine isn’t your computer, it’s our computer.

Untitled May 13, 2026 3:54 AM

@Dave:

It’s still low-priority on a single-user machine: Desktop/laptop use, IoT, non-shared servers, etc.

Everyone has their own priorities. I guess it’s high-priority on your single-user machine … or on a single-user machine that’s hacked within a network, enabling the hacker to paralyze the organization, so that your power supply goes down, or you can’t access your bank account, or your flight doesn’t go, etc.

If a single-user machine can be hacked, so can many single-user machines. What number qualifies as “high-priority”?

Clive Robinson May 13, 2026 6:42 AM

@ ALL,

@Dave notes,

“Or another way of looking at it is with the aphorism that a shared/multiuser machine isn’t your computer, it’s our computer.”

Is nolonger true and has not been for quite some time due to even “run of the mill criminal attackers, having what just a decade ago was considered “State Level” “sources and methods”.

So the aphorism should be more along the lines of,

“Any computer that we can reach physically or via coherent energy is our computer.”

If you look back I’ve been warning that where people can they should have two computers,

1, The first for private work.
2, The second for communications.

Further that the communications computer should not have “mutable storage” so simply “cycling the power” would clean it of any infections.

Back when I talked about the two computer solution, computing hardware was different, as was society. Back then for the communications computer you could use an MSI or equivalent low cost “all in one” motherboard that had video and sound and basic I/O hardware built in, and all you had to add was sufficient DRAM and a DVD drive to boot off. You would then get a Linux or Similar “monthly magazine” that had a “Bootable Distribution” on it, from a “random shop” you’d not been to before, and use the DVD to boot up.

Similarly for higher security the private machine could be left as a “numb nuts” Windows machine in case it got grabbed or got at. You would actually use another bootable distribution from either a DVD or Thumb Drive and only mount a thumb drive for private storage as these were a lot lot easier to secure physically than a computer.

All you then needed was a way that was sufficiently secure to “cross the air gap” safely.

Sadly computers now are filled with semi-mutable “Flash ROM” of all kinds which can be “got at” from any “physical or coherent energy” contact. Computer Magazines with bootable distribution DVD ROMs are also a thing of the past. And as we all should know now “air-gaps” are really insufficient[1] even for ordinary people you need “energy gapps” and more complex crossing techniques.

Whilst you can still do this technology and major Corporate and Government “Data Desires” are making the use of “Personal Computers” harder and harder.

If Apple, Google, and Microsoft along with most Western Governments and their “Guard Labour” have their way, “Clint Side Scanning” will become “unavoidable” for all but the very few who are sufficiently adept and prepared to do what is required for OpSec to be reliable.

Sorry if this makes you depressed on reading, but Others and I have been warning for years that this is happening.

Further that you can not nor should not trust any consumer or commercial OS or hardware any longer. It’s not just journalists and their sources it’s

“Anyone that is seen as a potential threat or even just convenient[3]”

What does it take to be “convenient?” just,

“Carrying or using technology”

Is more than enough. Worse being forced to use technology just to be included in society just makes the potential hurt even greater, as Data brokers trade every last detail that can be extracted, or worse assumed about you.

I could go on at length about just how fast this is happening but people reading this should know how to find it easily enough, so it’s more a question of if,

“People want to face the reality of what is happening?”

Just “look behind the curtain” at what is really happening with this “proof of age” nonsense, don’t wait half a decade and then start complaining, start now.

[1] Why has this,

“Filtered down to criminals?”

Well you can blame “crypto-coins” and similar. Some criminal gangs will just smash into your home and “slice and dice” you or a close relative[2]. Others will use more technical means. Either way such criminals exist and are active and not likely to ever go away in our life times. Because all they are after is “Key information” that can be written down in a few seconds. As that information can give them “millions” they are shall we say “incentivised”…

[2] After all,

“What’s one more dead body after the first couple?”

The way the legal system works is after the first one or two all the others do not make a difference to your sentence, so effectively are “free”…

[3] Guard labour has a very long history of “framing/fitting people up” for crimes they have not committed. Mostly this happens for what can be called “political reasons”. After all “quick arrests and convictions” are very desirable not just for promotion in the ranks, but to “politicians” as well… And the politicians and most of the guard labour also know that if an “innocent person” gets convicted they won’t get the blame in five to twenty years when the truth comes out… But in the mean time their career will have been boosted or in some other way benefited, and they won’t loose that. Worse, a fat pension and a book deal etc can happen as well… We’ve seen this happen over and over so it’s more than just one aberrant individual it’s “A clear MO”.

milky white May 13, 2026 9:24 AM

@ Stéphane Bortzmeyer,

No OS is perfect, but OpenBSD is something more people should try, if they care about security.

The correct link to Fuguita is here. Try and find an OpenBSD LiveCD/USB like it, you can’t. It’s a good OS to run for browsing the WWW and much more.

lurker May 13, 2026 2:27 PM

@turns off pain, Stephane, milky white

I got tired of the Linux kernel flying circus, so tried FreeBSD. My laptop battery went down faster, because devices (camera, 2nd video card, &c.) were being scanned and powered on at boot. I was told this can be stopped by building my own kernel.

The hyper-secure OpenBSD appears to do the same. There is a method of turning those calls off at boot time, but the man page might as well be written in Greek.

I’ve had a brief glance at Fuguita and came to the conclusion that I suffer from an age related desire for convenience over security.

Clive Robinson May 13, 2026 5:07 PM

@ 420,

Funny you should say,

“Linux Magazine would like a word with you”

That was one of the magazines that you could pick up in many UK News Agents…

Hence you could just “get one at random” which had the advantage from a security aspect that you would not have it “intercepted”… And replaced with one that was potentially “back doored” whilst it was “in the post” or in the “Delivery Center” of the USPS etc.

Which at one point sounded “totally paranoid” then Ed Snowden revealed back nearly a decade and a half ago that the NSA had been backdooring routers in delivery to customers abroad for ages…

Clive Robinson May 13, 2026 5:30 PM

@ lurker,

With regards,

“… came to the conclusion that I suffer from an age related desire for convenience over security.”

That is not exactly “age related” in most these days.

As a now long term observer of the human race in the West, I’ve noticed it kind of starts when most are still well under 10 and get their first mobile phone… then it gets really bad by the time they become teenagers… and well convenience then becomes engrained as a way of life hence the “fan bois” that hang out at certain watering holes, knocking back the “cool aid”.

this is the tree that never dies (lies) May 13, 2026 5:48 PM

@ lurker,

For FreeBSD, there’s plenty of fun and brilliant people here at their forums:

https://forums.freebsd.org/

Fuguita’s page has a message board where you can communicate with the developer without registration (just be sure to type in #fuguita in the message body) and it’s pretty basic.

Trust me, piece of mind is worth it.

this is the crop that never fails May 13, 2026 5:57 PM

@ Clive,

Are you a “targeted individual?” 🙂

Your precautions are not unreasonable in this day and age. However, it is of my belief that most things are compromised these days from the get go. Targeting occurs, of course, but the digital wells are poisoned.

Do they not sell these magazines anymore in the UK? They sell them around my parts. They’re expensive though, but in a pinch they can be useful.

ismar May 13, 2026 7:09 PM

OK, here’s a question. have been asking myself for a while now?
Given the frequency and severity of the software bugs being reported over the years, how come we still have a (broadly speaking) well functioning software networks of communication?
What is holding the system together, or, are we not seeing an objective picture focusing on the negative side only?
I would think yes

Clive Robinson May 13, 2026 7:51 PM

@ …crop that never fails,

With regards,

“… it is of my belief that most things are compromised these days from the get go.”

They were compromised back last century.

One reason I know this is I and a friend from our school days –who sadly is nolonger with us– used to have a nice little side business designing, selling and covertly installing very high end surveillance equipment.

It’s why I found the supposed NSA ANT catalogue that came out after the Ed Snowden trove to be as is sometimes said in the UK as “a bit pants”[1].

For instance there was little or no “Low Probability of Intercept”(LPI) capability designed in which was ludicrous. It might just pass muster for low end work by Law Enforcement against not to bright OpSec wise criminals, but most of it would have “given the game away” to even a 2nd year electronics student.

It was basically stuff you’d expect from a “summer intern” rather than from a professional engineer with the appropriate field experience.

[1] Have a read of,

https://www.schneier.com/blog/archives/2014/06/building_retro_.html/#comment-225512

And other related comments in that page.

creamy May 14, 2026 11:54 AM

@ Clive,

Thanks for the post+link. Some interesting posts there, I wonder what happened to all of the regulars who used to post here. There were some really interesting discussions back then.

Clive Robinson May 20, 2026 2:41 AM

@ Jesse Adelman, ALL,

“How long have the various spy agencies had these…”

Does it matter?

With “collect it all, and store forever” most people in their fifties or younger will have already said to the web the things they can be manipulated by.

If you are a long term reader of this blog, you will know that various people who have commented here have,

“assumed that is the case”

and discussed often in practical depth how to mitigate the risks.

But many assumed those taking part in those conversations were “paranoid”, “fantasists” or some other kind of “conspiracy theorist nut job” rather than honestly think,

“What do the laws of physics alow?”

I remember all to well the kick back from the “turn javascript and Flash off” advice. Some were in effect saying we were stealing the food from their children’s mouths… Whilst they were brazenly stealing our CPU cycles and grid power.

Now Flash is dead and enough people accept that “turn javascript off” is actually wise advise as having someone elses unknown code running on your computer,

“Is not, nor ever was wise.”

I’ve been pointing out that much of the newer “web standards” in the likes of HTML5 that have been railroaded through by the Google and similar are also a bad idea and should not even be implemented in browsers.

I’ve also pointed out what a “Sensitive Compartmented Information facility”(SCIF) really does and the physics behind it as well as how to build your own as an overt form of “RF Cage” and how “household objects” can be used to build covert equivalents. Along with describing the design rules for TEMPEST / EmSec hardening of electronic equipment.

Others have discussed how to build “PCs in Safes” and how to make them “self destruct” when required…

With much more besides, with it being “practical rather than theoretical” information/advice.

Again there were voices as there still are making claims that those giving advice were paranoid etc.

Even the Ed Snowden trove and the ANT catalogue that followed has not stopped such criticisms.

The simple fact is year after year more gets revealed and shows the truth of,

“You ain’t paranoid if they really are out to get you!”

And that “every citizen is a surveillance target of opportunity”.

The latest news on this being the FBI wanting to buy all “Licence Plate Reader”(LPR) output and build it into a “realtime search engine”.

Whilst it might save one or two peoples lives, that’s not the real reason they want it. But I would get accused of being “paranoid” if I actually said what “technical reasoning” has indicated is more than possible (think of “collect it all” on peoples physical movements).

But consider we already know some US States “Guard Labour” are using similar “politically” against “women” and their reproductive health, so it’s not even a great stretch of the imagination to see why the FBI and DoJ would be interested in such a system.

But to answer your direct point about Linux… It’s Open Source so of course the US SigInt and other Intl agencies would have “dug deep” into it.

Which was kind of obvious years ago which is why I’ve talked about having two computers. One to do your private work on that never gets “connected” and building a second computer with “no mutable memory” that you use for the “Internet” or other communications. With the all important “how you bridge the gap safely”.

In a few years at most, some will come to realise why I’ve said these things and think me “more pragmatic than paranoid” as I’m all about the,

“Future mitigations today”

P.S. that clinking sound you think you faintly hear is the “crystal balls” in constant use 😉

Weather May 20, 2026 6:00 PM

@Clive All

The problem of making a Scif is from a helicopter with Ir, it would look like a cannabis grow room, and the police will come knocking.

Clive Robinson May 21, 2026 5:48 PM

@ Weather,

First off my apologies for the delay in responding things have been a little hectic.

With regards,

“The problem of making a Scif is from a helicopter with Ir”

There has been a lot said in the press in the past about Police Helicopters and Infra-red or thermal imaging systems.

Mostly you don’t get them any longer. Because when you can “look into them” you find that things are not “as reported”…

In the UK “grow rooms” used to draw a lot of electrical power for the lights and with the result the “usual usage patterns” changed at the “power substation” and a lot of heat was generated by the lights.

Thus in past the power company / supplier would see the change and investigate. And would fairly quickly identify “the property of interest” and report it to the police, who would then investigate. With “Smart Meters” these days they get a lot lot more information almost instantly (it’s rumoured the UK Tax Office is getting access to put it into an AI system to catch people doing “Homers” and the like[1])

In the UK the police tend not to use helicopters for carrying out investigations these days as it’s very expensive and for various reasons the people they catch this way are not worth the effort (that is they are growing for personal use rather than street sales).

The other issue is that these days the “grow lights” are now low energy LED systems that just don’t draw power or generate the heat. So “step one” of a nod from the power company is not happening anywhere near as much and “step two” of IR/Thermal imaging is not going to help very much.

Another issue these days is “air-con” in the UK it used to be a rarity but times have changed. Worse a push by the UK Gov for the idiotic “heat-pump” systems make “assumptions” from IR / Thermal into a potential “expensive mistake” for police forces.

But consider the SCIF / RF-Cage you build in your home is not going to generate much heat and if you chose to put it somewhere sensible within the property even IR / Thermal imaging is not going to show very much (unless you take up a nome like existence within it).

Also there are a lot of “OMG 5G” types in the UK who turn their bedrooms into RF-Cages as they say they improve their wellbeing/sleep etc.

In the UK having the equivalent of a SCIF in your home is not a crime / offense / misdemeanor, or require “building code” compliance (unless it creates a hazard or structural changes). Though any mains electrical work is required to not just meet UK BS 7671 “Requirements for Electrical Installations” a certificate of compliance should be issued[2] (as proof of compliance…).

[1] There is a lot of political nonsense about “tax and benefits cheats” in the UK. Whilst there will always be some individuals, the real cheats are Corporations, Companies and Land Lords. But as these offenders can and do “lawyer-up” the cost and time through the court system does not produce money for the Treasury. So the systems are quite biased and definitely discriminate against the disabled, old and others,

https://www.theguardian.com/society/2024/dec/06/revealed-bias-found-in-ai-system-used-to-detect-uk-benefits

[2] BS 7671 is not something that generally concerns me any longer for various reasons I won’t go into, let’s just say that “other standards apply”.

Weather May 21, 2026 10:19 PM

@Clive Allgood brother

They used to line the walls with Al foil, from the optics it looks like a dead spot, and if its the size of a room.
They use helicopter here but im guessing they get put on a waiting list to investigate, our police verse population is quite low.
Meaning Ir referring to wavelength in the area. Flir 480nm-860nm

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.