Skip to content
Tech News
← Back to articles

CopyFail: From Pod to Host

2026-05-19 | original
read original get USB Microphone for Podcasting → more articles
Why This Matters

The Copy Fail vulnerability highlights a significant security risk in Linux systems by enabling attackers to perform local privilege escalations through kernel memory corruption. Its versatility allows for various malicious exploits, including bypassing container boundaries and rewriting critical binaries, posing a serious threat to both enterprise and consumer Linux environments. Addressing this flaw is crucial for maintaining system integrity and preventing potential breaches.

Key Takeaways

Two weeks ago, we disclosed Copy Fail, a new and exceptionally dangerous Linux local-privilege escalation vulnerability.

Copy Fail exploits a kernel memory corruption flaw without injecting code into a running kernel, which makes it small and unusually portable. Copy Fail gives attackers a repeatable, controlled 4-byte write into the Linux page cache backing any readable file; in other words, it allows attackers to rewrite the cached contents of files on a Linux filesystem.

To help operators determine their susceptibility to Copy Fail, we published a proof-of-concept exploit and a model attack path. Our model attack targets the su binary present on most Linux systems. Because su is setuid root, an attacker who can rewrite it and then execute it can escalate to root. Instead of having it ask for and check a root password, the rewritten su skips the paperwork and drops the caller straight into a root shell.

Our proof-of-concept led some to believe that rewriting setuid binaries like su was the extent of the attack. Not so! The capability that Copy Fail and related page cache writing exploits extend to attackers is powerful and versatile. As an example, let’s walk through how to use it to break out of a namespaced container.

To understand this new exploit pattern, you have to understand a little bit about what’s happening under the hood in Copy Fail.

Copy Fail works by confusing the kernel code that handles IPSec ESP Extended Sequence Numbers ( authencesn ). This code is exposed to unprivileged users via AF_ALG sockets, which are userland’s interface to Linux’s kernel cryptography subsystem.

Specifically, Copy Fail sets the authencesn code up to think it’s looking at disposable scratch memory when it’s really handling a mutable reference to the page cache. It tells the kernel’s cryptography code to decrypt a ciphertext blob, using bytes supplied by a zero-length copy from a pipe using splice(2) .

Because the wire format for IPSec ESNs isn’t the implicit format the crypto code operates on, the authencesn code shuffles sequence numbers around. But the code isn’t handling a disposable buffer from a packet; Copy Fail has tricked it into operating on a reference to a cached file.

Cross-container kernel attacks usually corrupt kernel memory: race windows, UAFs, version-bound payloads. These primitives are powerful, as they can allow code execution at the kernel level. But they’re fragile. Copy Fail is deterministic. It’s a more reliable primitive for cross-pod compromise or runtime poisoning, without relying on kernel code execution.

There are two primary attack scenarios:

... continue reading

Explore topics: linux kernel copy fail privilege escalation setuid ipsec
Related:
Exploit released for new PinTheft Arch Linux root escalation flaw
Gentoo News: Copy Fail, Dirty Frag, and Fragnesia Kernel Vulnerabilities
Copy Fail, Dirty Frag, and Fragnesia kernel vulnerabilities
'Claw Chain' Vulnerabilities Threaten OpenClaw Deployments
Linus Torvalds says flood of duplicate AI-generated vulnerability reports have made Linux security mailing list 'almost entirely unmanageable' — private list 'a waste of time for everybody involved' in switch to new public system

© 2026 GoKawiil

About | Editorial Policy | Contact