Copy Fail — 732 Bytes to Root
copy.fail
CVE-2026-31431. 100% Reliable Linux LPE — no race, no per-distro offsets, page-cache write that bypasses on-disk file-integrity tools and crosses containers. Found by Xint Code.
  • Eager Eagle@lemmy.worldEnglish
    23·
    2 months ago

    wtf

    An unprivileged local user can write 4 controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root.

    If your kernel was built between 2017 and the patch — which covers essentially every mainstream Linux distribution — you’re in scope.

    how does that only get a CVE score of 7.8, the impact of this is huge

    • Bitflip@lemmy.ml
      42·
      2 months ago

      Probably because the attack vector is having a user account on the target

      • nyan@sh.itjust.works
        17·
        2 months ago

        Exactly. It’s Yet Another Privilege Escalation Vulnerability. Unless you’re dealing with a multiuser machine, the attacker first needs to use some other vuln to get into an unprivileged account. Without that additional vulnerability, this exploit is useless.

        • solrize@lemmy.ml
          10·
          2 months ago

          some other vuln

          You mean like inveigling it into a pypi or npm or whatever package? Checks out.

          • olosta@lemmy.world
            6·
            2 months ago

            I manage multi user systems and try to be on top of this and no, privilege escalation with a working public exploit are very rare. There’s quite a lot of CVEs with potential privilege excalation, but most of the time there is no real world exploit. And a large part of those are related to user namespaces in one way or another.

            This one is truly scary, at least the immediate mitigation is pretty straightforward.

          • nyan@sh.itjust.works
            5·
            2 months ago

            Well, it often feels like every “Linux security issue” flagged in the tech press is a privilege escalation, but I admit that I haven’t sat down and done the math.

      • BradleyUffner@lemmy.worldEnglish
        6·
        2 months ago

        Does it have to actually be su? Couldn’t this replace any other existing privileged program with the fake su?

        • sun_is_ra@sh.itjust.works
          8·
          2 months ago

          In order to use this exploit you need a program that has UID bit set and the file owned by the user you want to use itheir privilages.

          For example su (among other commands) has that UID bit set and because the owner of the file is root then when you execute it, it always runs with root privileges

          Most Android devices use SELinux (Security Enhanced Linux) which is configured in such way that you couldn’t have root access even if you could run a program owned by root and has the UID bit set.

          What you could do - in theory - is finding a process already running with root privileges and happened to be executing certain command periodically. you could then override that certain program in cache using this exploit to do what you want.