Copy Fail

Copy Fail: The 4-Byte Kernel Flaw That Broke Linux Security.

The Core Concept

  • The Bug: A logic error in the Linux kernel’s algif_aead module.
  • The Type: Local Privilege Escalation (LPE).
  • The Impact: Any user (including www-data) can gain full root access.
  • The Mechanism: It tricks the kernel into treating read-only system files as writable workspace in the RAM (Page Cache).

Technical Breakdown (The "How it Works")

  1. Memory Confusion: The exploit uses the splice() system call to link a privileged binary (like /usr/bin/su) to a crypto socket.
  2. The Overwrite: Due to a 2017 "optimization" error, the kernel allows 4 bytes of data to be written into the in-memory copy of that binary.
  3. The Bypass: These 4 bytes typically replace a "check password" instruction with a "skip" instruction.
  4. Stealth Execution: The change happens only in RAM. The actual file on the disk remains untouched, making it invisible to standard file-integrity scanners.

Why It Matters

  • 100% Reliability: Unlike most bugs that rely on "race conditions" (luck), Copy Fail works every time.

  • Container Escapes: An attacker can use this to break out of a container and take over the host server.

  • Web Server Threat: If a website is compromised, the attacker can move from a limited web-user to System Admin in seconds using a tiny 732-byte script.

Debunking Mitigations

  • Sudo Timeouts: Ineffective. The exploit breaks the logic of the program before it ever checks for a timeout or password.

  • Permissions: Since the target files (su/sudo) are designed to run as root by default, corrupting them is an "instant win" for the attacker.

The Solution

  • Primary Fix: Update the kernel to 6.18.226.19.12, or 7.0+.

  • Emergency Shield: Disable the algif_aead module. It is a niche "bridge" for hardware encryption that most modern apps (Web browsers, SSH, OpenSSL) do not need to function.

The "Backdoor" Controversy

There is an ongoing debate on whether this was a simple mistake or an intentional "trapdoor."

  • Mistake: It resulted from three separate, seemingly innocent code changes over six years.

  • Intentional: It is suspiciously precise, perfectly stealthy, and provided a "universal key" to Linux systems for nearly a decade.

🛡 Mitigation: The "Emergency Shield" Snippet

If a user cannot reboot or patch immediately, they can disable the vulnerable interface. This stops the exploit without breaking standard web traffic or SSH.


# 1. Prevent the vulnerable module from loading at boot
echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif.conf

# 2. Unload the module from the current session (if not in use)
sudo rmmod algif_aead 2>/dev/null || echo "Module already inactive or built into kernel."

# 3. Verify the module is gone
lsmod | grep algif_aead

Use code with caution.

📜 Historical Context: The "Fatal Optimization"

The "Copy Fail" vulnerability is a masterclass in how "efficient" code can become dangerous code.

The Origin: Commit 72548b093ee3

" crypto: algif_aead - allow user-spacw to provide iv,"

In 2017, a patch was introduced to the algif_aead subsystem. Its goal was to reduce latencyduring high-speed encryption.

  • The Intent: Encryption usually requires "double buffering" (copying data from point A to point B to process it). This commit aimed to allow "zero-copy" operations, where the kernel works directly on the memory provided by the user.

  • The Error: The developer failed to implement a check to see if that memory was "pinned" as read-only.

  • The Oversight: The code assumed that if a user-space application provided a memory address via the splice() system call, the user must have write-access to it.

Why It Stayed Hidden for 9 Years

  • The "Niche" Factor: The Crypto API (AF_ALG) is rarely used by standard developers. Most programmers use libraries like OpenSSL, which operate in "user-space" and don't touch these kernel-level crypto sockets.

  • Complexity: The bug only triggers when using a specific combination of splice(), AF_ALG, and AEAD encryption. It’s a "perfect storm" of three different kernel features that few people ever use together.

  • The Silent Failure: Most kernel bugs cause a "Kernel Panic" (the Blue Screen of Linux). This bug is silent. It performs the write and continues as if nothing happened, making it impossible to detect without active, intentional searching.

The "Backdoor" Narrative

The 2017 change was technically redundant. Many security researchers have pointed out that the "performance gain" from this specific optimization was negligible, raising questions about why such a risky memory-handling change was approved in the first place.

10 News Sites

Reddit·https://www.reddit.com

Copy Fail is a trivially exploitable logic bug in Linux, reachable on all major distros ...

The fix states that the 2017 commit that introduced this bug offered no benefits. Perhaps xz util has made me paranoid, but could this be ...

Facebook·https://www.facebook.com

Severe Linux Copy Fail security flaw uncovered using AI scanning help

The developer instructed the AI not to implement code or provide technical details about malware techniques. Researchers believe this was an ...

Hacker News·https://news.ycombinator.com

Copy Fail - Hacker News

As someone who works on the Linux kernel's cryptography code, the regularly occurring AF_ALG exploits are really frustrating.

The Hacker News·https://thehackernews.com

New Linux 'Copy Fail' Vulnerability Enables Root Access on Major ...

CVE-2026-31431 CVSS 7.8 flaw since 2017 enables root via 732-byte exploit, impacting major Linux distributions.

GitHub·https://github.com

A small collection of vulnerable code snippets · GitHub

A collection of vulnerable code snippets taken form around the internet. Snippets taken from various blog posts, books, resources etc.

Stack Overflow·https://stackoverflow.com

git - Error "Updates were rejected because the remote contains work that you do not ...

How can I solve this issue? These are the commands I run in order to commit: git pull remotename master:dev git add --all git commit -m "some ...

Canadian Centre for Cyber Security·https://www.cyber.gc.ca

Security considerations for your website (ITSM.60.005) - Cyber.gc.ca

To mitigate this type of attack, you should block escaping mechanisms (i.e. quotation marks or double quotation marks) and special characters ...

Medium·https://fdzdev.medium.com

Top 10 Ways to Achieve Remote Code Execution (RCE) on Web Applications

This article covers the top 10 general techniques (not specific CVEs) to achieve RCE on web applications.

CISA (.gov)·https://www.cisa.gov

Vulnerability Summary for the Week of April 14, 2025 | CISA

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week.

arXiv·https://arxiv.org

An Empirical Study of Developer-Provided Context for AI Coding Assistants in Open ...

Our data show that developers actively provide additional context beyond source code, such as conventions (15%), guidelines (33%), and even ...