Yeah, wallposting can muddy the waters. The original link seemed sketchy so I just skimmed through the details without actually running it. Looks like Russell beat the internet to this one because in the past couple days it's been popping up on a lot of blogs/forums.
If anyone wants a real link as opposed to the sales pitch from the company that found it, here's a few: https://nvd.nist.gov/vuln/detail/CVE-2026-31431 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a664bf3d603d Note that the NIST page references the copy.fail website people have been referring to. -Ben On Friday, May 1st, 2026 at 9:47 AM, George <[email protected]> wrote: > I can't tell what you guys are talking about. I assume you're talking about > a virus or an exploit. > It seems that whatever you're talking about is explained in a rando web > link in the original interest group email. Just how many of you guys click > links in your emails when you're researching security? (I'm kidding, after > about four emails, i just looked it up from an independent source. Still > not sure if i use algif_aead but I'm the only user on my network, er,... > that i know of....) > > > On Fri, May 1, 2026, 8:12 AM Ted Mittelstaedt <[email protected]> > wrote: > > > That may work for now however according to: > > > > https://xint.io/blog/copy-fail-linux-distributions > > > > "...The scan also identified other high severity vulnerabilities, > > including another privilege escalation bug. These other bugs are still in > > the responsible disclosure process." > > > > And we know now that from xinit's POV responsible disclosure means insert > > a patch then wait 30 days and publish a zero day. > > > > So this isn't going to be the only one of these rodeos. It's just the > > first. > > > > Ted > > > > -----Original Message----- > > From: PLUG <[email protected]> On Behalf Of King Beowulf > > Sent: Friday, May 1, 2026 7:46 AM > > To: [email protected] > > Subject: Re: [PLUG] exploit in the wild > > > > On 4/30/26 17:11, Ted Mittelstaedt wrote: > > > I can confirm that the latest apt-get update to Ubuntu 24.04 as of a few > > minutes ago is disabling the aead module. > > > > > > For an un-updated system, running python3 copy_fail_exp.py gets you a > > root shell. For an updated system it gets an error. For Ubuntu 26.04 it > > merely asks for the root password. > > > > > > Ted > > > > > > > > > > or run > > > > find / * -perm -4004 -type f -exec ls -ld {} \; > setuid.txt > > > > and remove 'r' flag from user, user group, and other group. > > > > On Slackware, most setuid root utilities are not user readable. > > > > # ls -l /usr/bin/sudo > > -rws--x--x 1 root root 289800 Jul 26 2025 /usr/bin/sudo* # ls -l /bin/su > > -rws--x--x 1 root root 59552 Feb 13 2021 /bin/su* > > > > There are a few that are unfortunately. > > > > This will mitigate the exploit until patched. > > > > -Ed > > > > > > > > >
