George, It is an exploit that uses a hole that was inadvertently created in the main Linux kernel a decade ago.
Nobody knew the hole was there (at least, anybody that did know about it was keeping it to themselves) until a researcher from xinit started investigating. Xinit used a LLM AKA AI assisted program to find the hole. Their business model is to charge developers to analyze their code for them using their secret sauce. I guess they got tired of spamming LinkedIn for customers and decided to do something spectacular to get attention by seeing if they could use their product on the Linux kernel to find a hole and they hit the jackpot. The exploit basically means anyone who has user-level access to a vulnerable Linux system can become the root user. And every Linux system using a kernel released in the last decade is vulnerable. For example, the Apache web server is usually installed to run under a non-privileged userID often "www" So let's say someone has a webserver that they allow people to upload stuff to. All you have to do is upload a simple script then cause it to run under the www user via a POST or GET command and bang -your now root on that webserver and can run a back door or something you can use to remote in and pwn the server (gain control of the server). When xinit found this they patched it then submitted the patch April 1st. They did not plaster "this patch plugs a massive security hole" in the patch description. Instead they used a non-committal description of it, basically saying it was making the code faster and more efficient. Since Linus, who manages patch submittals to the Linux kernel, is known to bite on anything that purports to make Linux run faster, the patch was quickly accepted. It's also possible that xinit privately emailed Linus and explained the ramifications of what they found and asked him to shut the F up about it. Debian and Ubuntu's dev teams both have new releases coming out, Debian is releasing Debina 13 and Ubuntu is releasing 26.04. Between them and distributions based on Debian, they are the 600 pound gorillas of Linux with probably almost half of Linux installs while RedHat and it's derivatives So, xinit knew that their kernel patch would be picked up by these new releases and it was. So once the stage was set, xinit then published proof of concept on a vanity website. The python code they published is real, it does work, I've tested it. They then passed the word to a BUNCH of technical bloggers and commercial news sites and articles started appearing. They can pretend to appear like angels because anyone who complains will be told "if you were running current distros (that were released last week but let's not quibble) then it wouldn't be a problem for you" by most of the Linux fanboys on the Internet who don't know anything. But the story does not end there. Yesterday afternoon (afternoon PST that is) Canonical's ubuntu.com website came under attack and went offline. I posted about this on this list yesterday but didn't know at the time they were under attack. The attacker is undoubtedly Russian Mafia as they have sent extortion demands to Canonical already. They CLAIM that they are Iranians but this is obviously ridiculous as the Iranians are a little busy right now, and the demands are for money - which obviously, the Iranians can't use right now anyway to buy anything since the US has them blockaded. Real Iranians would demand food or humanitarian aid or a cessation to the shooting war or something like that. In the meantime, xinit has also threatened - well, actually, PROMISED, to release more zero day exploits that they claim to have have discovered. They must really be desperate for attention and customers. There's a lot of people running Ubuntu desktop and server right now who are scared and looking for information. The likelihood is that they WILL NOT do the obvious and simple thing which is run "get update, get upgrade" as root on their systems which would download updates and patch their systems, until they are sure they are doing the right thing. They are trying to get more authoritative information which they can't since the ubuntu.com website is offline. The Ubuntu update servers are NOT affected by the DDoS attack The longer that people DO NOT update, the more time that the Russian Mafia or whoever is running the attack, will have to develop exploits that use this hole, and use them to break into systems that are not patched. That is IMHO the real goal of the Canonical attack - sow confusion and doubt. Run updates on your system ASAP and then forget about it, you will be protected. Ted -----Original Message----- From: PLUG <[email protected]> On Behalf Of Ben Koenig via PLUG Sent: Friday, May 1, 2026 10:13 AM To: Portland Linux/Unix Group <[email protected]> Cc: Ben Koenig <[email protected]> Subject: Re: [PLUG] exploit in the wild Yeah, wallposting can muddy the waters. The original link seemed sketchy so I just skimmed through the details without actually running it. Looks like Russell beat the internet to this one because in the past couple days it's been popping up on a lot of blogs/forums. If anyone wants a real link as opposed to the sales pitch from the company that found it, here's a few: https://nvd.nist.gov/vuln/detail/CVE-2026-31431 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a664bf3d603d Note that the NIST page references the copy.fail website people have been referring to. -Ben On Friday, May 1st, 2026 at 9:47 AM, George <[email protected]> wrote: > I can't tell what you guys are talking about. I assume you're talking > about a virus or an exploit. > It seems that whatever you're talking about is explained in a rando > web link in the original interest group email. Just how many of you > guys click links in your emails when you're researching security? (I'm > kidding, after about four emails, i just looked it up from an > independent source. Still not sure if i use algif_aead but I'm the only user > on my network, er,... > that i know of....) > > > On Fri, May 1, 2026, 8:12 AM Ted Mittelstaedt <[email protected]> > wrote: > > > That may work for now however according to: > > > > https://xint.io/blog/copy-fail-linux-distributions > > > > "...The scan also identified other high severity vulnerabilities, > > including another privilege escalation bug. These other bugs are > > still in the responsible disclosure process." > > > > And we know now that from xinit's POV responsible disclosure means > > insert a patch then wait 30 days and publish a zero day. > > > > So this isn't going to be the only one of these rodeos. It's just > > the first. > > > > Ted > > > > -----Original Message----- > > From: PLUG <[email protected]> On Behalf Of King > > Beowulf > > Sent: Friday, May 1, 2026 7:46 AM > > To: [email protected] > > Subject: Re: [PLUG] exploit in the wild > > > > On 4/30/26 17:11, Ted Mittelstaedt wrote: > > > I can confirm that the latest apt-get update to Ubuntu 24.04 as of > > > a few > > minutes ago is disabling the aead module. > > > > > > For an un-updated system, running python3 copy_fail_exp.py gets > > > you a > > root shell. For an updated system it gets an error. For Ubuntu 26.04 it > > merely asks for the root password. > > > > > > Ted > > > > > > > > > > or run > > > > find / * -perm -4004 -type f -exec ls -ld {} \; > setuid.txt > > > > and remove 'r' flag from user, user group, and other group. > > > > On Slackware, most setuid root utilities are not user readable. > > > > # ls -l /usr/bin/sudo > > -rws--x--x 1 root root 289800 Jul 26 2025 /usr/bin/sudo* # ls -l > > /bin/su -rws--x--x 1 root root 59552 Feb 13 2021 /bin/su* > > > > There are a few that are unfortunately. > > > > This will mitigate the exploit until patched. > > > > -Ed > > > > > > > > >
