THREATNOIR
Subscribe
Back to Feed
VulnerabilitiesMay 12, 2026

Copy.Fail Linux Vulnerability - Schneier on Security

Copy.Fail Linux kernel LPE vulnerability disclosed; affects Ubuntu, RHEL, Debian, SUSE, Amazon Linux, Fedora.

Read at source

Summary

Copy.Fail is a critical Linux kernel local privilege escalation vulnerability disclosed by Theori on 29 April 2026 that exploits the kernel crypto API (AF_ALG sockets) and splice() to write arbitrary data into the page cache of files an attacker does not own. The vulnerability works unmodified across major Linux distributions and bypasses file integrity monitoring tools like AIDE and Tripwire. Mainline fixes landed on 1 April, and distributions are rolling out patched kernels.

Full text

Copy.Fail Linux Vulnerability This is the worst Linux vulnerability in years. TL;DR copy.fail is a Linux kernel local privilege escalation, not a browser or clipboard attack. Disclosed by Theori on 29 April 2026 with a working PoC. It abuses the kernel crypto API (AF_ALG sockets) plus splice() to write four bytes at a time straight into the page cache of a file the attacker does not own. The exploit works unmodified across Ubuntu, RHEL, Debian, SUSE, Amazon Linux, Fedora and most others. No race condition, no per-distro offsets. The file on disk is never modified. AIDE, Tripwire and checksum-based monitoring see nothing. Kubernetes Pod Security Standards (Restricted) and the default RuntimeDefault seccomp profile do not block the syscall used. A custom seccomp profile is needed. The mainline fix landed on 1 April. Distros are rolling kernels out now. Patch. “Local privilege escalation” sounds dry, so let me unpack it. It means: an attacker who already has some way to run code on the machine, even as the most boring unprivileged user, can promote themselves to root. From there they can read every file, install backdoors, watch every process, and pivot to other systems. Why does that matter on shared infrastructure? Because “local” covers a lot of ground in 2026: every container on a shared Kubernetes node, every tenant on a shared hosting box, every CI/CD job that runs untrusted pull-request code, every WSL2 instance on a Windows laptop, every containerised AI agent given shell access. They all share one Linux kernel with their neighbours. A kernel LPE collapses that boundary. News article. Tags: Linux, patching, vulnerabilities Posted on May 12, 2026 at 7:06 AM • 32 Comments

Indicators of Compromise

  • malware — copy.fail

Entities

Linux kernel (technology)Ubuntu (product)RHEL (product)Debian (product)Kubernetes (product)Theori (vendor)