Copy Fail: A Quick Fix and Analysis

Introduction

Copy Fail is a local privilege escalation (LPE) vulnerability in the Linux kernel that has been present in every mainstream distribution shipped since 2017. Discovered by Xint Code and publicly disclosed on April 29, 2026, the bug allows any unprivileged local user to gain root access using a 732-byte Python script.

It affects Ubuntu, Debian, RHEL, SUSE, Amazon Linux, Arch, Fedora, and WSL2; anything running an unpatched kernel from the last nine years.

How it Works

The root cause is a 2017 "optimization" in algif_aead.c, part of the kernel's AF_ALG crypto API. That commit made AEAD optimization operate "in-place" by setting req->src = req->dst; both the source and destination of the crypto operation pointed to the same scatterlist.

This becomes exploitable when splice() is involved. When data is passed through this function, the kernel doesn't copy it, instead it passes references to page cache pages, the kernel's cached copy of on-disk files. Because of the in-place design, those page caches ended up chained into the "writable" destination scatterlist.

An attacker can exploit this to write 4 bytes at a time into the page cache of any readable file including the setuid binaries like /usr/bin/su. The write modifies only the in-memory cached copy, not the on-disk file, so the file integrity tool checks will return an okay and won't detect the change. The page cache is also shared across container boundaries, making this a container escape primitive.

To read further in detail, you can visit the original write-up here.

The Fix

The upstream patch a664bf3d603d reverts the in-place optimization entirely. Source and destination are separated:

req->src now points to the TX Scatterlist (where splice chains page cache pages)
req->dst now points to the RX Scatterlist (the user's recvmsg buffer)

Page caches are never placed in the writable destination, eliminating the write primitive. As the commit message reads: "There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings."

Mitigation for General Linux Users

Jun 12, 2026

Fileless Malware and Process-Based Attacks Analysis

Fileless malware is one of the most dangerous and evasive attack techniques. Unlike traditional malware, it leaves no files on disk; instead, it hides inside the system's own trusted processes and tools, making it nearly invisible to conventional security software. In this article, we break down how fileless and process-based attacks work, how attackers use built-in Windows utilities like PowerShell and WMI to execute malicious code entirely in memory, and what defenders need to do to detect and stop them before it's too late.

May 26, 2026

ATT&CKv19: Changes in MITRE ATT&CK® Framework

MITRE ATT&CK v19.1 introduces significant updates across the Enterprise, Mobile, and ICS domains, enhancing the framework’s ability to model modern adversary behavior. Key changes include the introduction of the new Defense Impairment tactic, the renaming of Defense Evasion to Stealth, expanded threat intelligence coverage with new threat groups, software, and campaigns, and the addition of ICS sub-techniques for greater analytical granularity. This article explores the major differences between ATT&CK v18.1 and v19.1, highlighting the impact of these changes on threat intelligence, detection engineering, and cybersecurity operations.

May 25, 2026

Asynchronous Process Call Injection: Resurgence in 2024-26

APC Injection had been written off as a solved issue, one for which detection existed in multiple variations; however, it has seen a resurgence since 2024 which has allowed to it cause havoc in small attacks and looks like it will only increase in importance. Process injection sits at the top of the MITRE ATT\&CK heap for the second year running. This blog talks about how it is necessary to track the newer variants of the injection method and the methods offered for the same.