Post B5p5ykKHCE1MfoCSSe by wdormann@infosec.exchange
 (DIR) More posts by wdormann@infosec.exchange
 (DIR) Post #B5p5ykKHCE1MfoCSSe by wdormann@infosec.exchange
       2026-04-29T18:37:29Z
       
       0 likes, 0 repeats
       
       So CopyFail CVE-2026-31431 is a thing.If you're on the Ubuntu platform, 26.04 is not affected.  18.04 through 25.10 are indeed affected, but no fixes are available.If you're on another platform, check with your vendor for update availability.
       
 (DIR) Post #B5p5ylOZDl2zzPDOmu by wdormann@infosec.exchange
       2026-04-29T18:55:18Z
       
       0 likes, 0 repeats
       
       If you're using an obscure distro like "Debian", you may not have a fix available.
       
 (DIR) Post #B5p5ymMTd0yAzDFFAW by wdormann@infosec.exchange
       2026-04-29T20:28:39Z
       
       0 likes, 0 repeats
       
       Or RHEL.I suspect that some people use that?
       
 (DIR) Post #B5p5ynE0PzmtfEHzbU by wdormann@infosec.exchange
       2026-04-30T12:46:21Z
       
       1 likes, 1 repeats
       
       While this vulnerability seems to be discovered using AI ("Xint Code"), I have to assume that they also let the AI decide how to do the vulnerability coordination as well.major builds are out as of this writing  😂No distros have official updates for CVE-2026-31431. Fedora 42 and newer have updates, but no official advisory or acknowledgement of CVE-2026-31431. So with them it's unclear if it's even intentional. Red Hat, Ubuntu, Amazon Linux, and Suse all have advisories as of now, but NO updates.disable the algif_aead module as a mitigation.  😂Bespoke distros like RHEL don't use a module, it's compiled into the kernel.I can't figure out what the Xint Code angle is with this copyfail stuff.  On one hand, yes, it is a true vulnerability that affects a LOT of Linux distros available.  And they did submit the bug for fixing to the upstream kernel people.BUT the CVE has only existed for a week.  And NONE of the distros IN THEIR ADVISORY had updates available at the time that they pulled the trigger for publication of the shiny copy.fail website.I struggle to think of how this even happens.  In all my years of infosec, you're either on board with doing CVD (e.g. coordinating with the former CERT/CC) or you're not (dropping 0day).  But this all fits bizarrely in the middle.  The publication gives the guise that they did the right thing, (and please use our AI services).  But at the same time, they clearly chose to release the vulnerability details and functional exploit before any distro had the ability to properly do anything about it.Either these Xint Code people have a hidden agenda or ulterior motive that we aren't aware of yet.  Or they're just really bad at coordinated vulnerability disclosure.  You pick.
       
 (DIR) Post #B5p5yrv2xuaqDsSQFM by wdormann@infosec.exchange
       2026-04-30T13:38:34Z
       
       0 likes, 0 repeats
       
       If you're curious about IOCs for copyfail, look in syslog for:NET: Registered PF_ALG protocol familyfor attempts to exploit copyfail on systems that use the vulnerable code as a module. For systems that have the vulnerable code compiled into the kernel, like RHEL, you'll see this line on every boot.And at least for this particular flavor of exploit, a wall-clock nearby:process 'su' launched '/bin/sh with NULL argv: empty string added`is an indication of successful exploitation.But it's worth noting that the "process launched" stuff is merely what the ITW PoC will leave behind.  More clever exploitation may not be as obvious.
       
 (DIR) Post #B5q3N1LnRghDifkpSC by wdormann@infosec.exchange
       2026-04-30T18:37:32Z
       
       1 likes, 0 repeats
       
       What went wrong with this case?Theori appear to have only contacted the linux kernel devs with the vulnerability, as opposed to going the usual CVD route that includes all of the major Linux distros.Why is this a problem?  Since the linux kernel became a CNA, there has been a flood of CVEs for the Linux kernel.  The Linux kernel devs' arguments is that any given kernel flaw could presumably be leveraged to behave as a vulnerability, and it's not worth their time to determine "vulnerability" or "not a vulnerability".  Everything gets a CVE.Now the case with copy.fail?  It was indeed reported to the kernel devs.  And it got a CVE.  A single CVE buried in flood of all of the Linux kernel CVEs.And it appears that every distro on the planet was blindsided by this proven-exploitable vulnerability because they were not given any warning.  Or even any suggestion to pick this single CVE out of the sea of Linux kernel CVEs as worth cherry picking.Much to the chagrin of the Linux devs, RHEL doesn't use up-to-date Linux kernels.  They cherry pick CVEs to backport to their chosen kernel version.  (e.g. the latest and greates RHEL 10.1 uses 6.12.0, which was released November 17 2024).  And in this world where bad actors like Theori don't involve vendors in vulnerability coordination, and just about every Linux kernel bug gets a CVE, this workflow fails. Hard.Good times...
       
 (DIR) Post #B5q3N6QaZIV5Sz2E7M by wdormann@infosec.exchange
       2026-04-30T22:49:41Z
       
       0 likes, 0 repeats
       
       Unlike what the buffoons at Theori published as a "mitigation", the folks at Red Hat actually published a viable mitigation for CopyFail CVE-2026-31431.Specifically, edit your grub (or whatever you use to load your kernel) configuration to have one of the following arguments:initcall_blacklist=algif_aead_initinitcall_blacklist=af_alg_initinitcall_blacklist=crypto_authenc_esn_module_initWith such boot arguments to the Linux kernel, the affected bits won't be reachable.
       
 (DIR) Post #B5qfrRlpZtZkbZroki by lengau@mastodon.world
       2026-04-30T21:24:08Z
       
       1 likes, 0 repeats
       
       @wdormann > I have to assume that they also let the AI decide how to do the vulnerability coordination as well.r/MurderedByWords material right there.
       
 (DIR) Post #B5qfs03k5o6awyVbOK by k8ie@toot.mcld.eu
       2026-04-30T18:58:08Z
       
       1 likes, 0 repeats
       
       @wdormann I get that this was supposed to be a huge ad for Xint Code but the sloppy disclosure really just makes them look incompetent 💀
       
 (DIR) Post #B5qfs42TITSvIBwdxw by wdormann@infosec.exchange
       2026-04-30T19:03:02Z
       
       1 likes, 0 repeats
       
       @k8ie Yes, it's clear that it was published as a "Look at us!" vehicle.But their abysmally bad coordination put every Linux user on the planet at risk, and is clear evidence that they don't care about anybody other than themselves.
       
 (DIR) Post #B5rP2GGpAg9u3ptXiy by Viss@mastodon.social
       2026-04-30T19:15:06Z
       
       0 likes, 0 repeats
       
       @wdormann cves turning into marketing vehicles for every company thats a cna is also undoubtedly creating problems in this vein
       
 (DIR) Post #B5rP2IWUnNsn31F5Qe by joshbressers@infosec.exchange
       2026-05-01T01:43:00Z
       
       0 likes, 0 repeats
       
       @Viss @wdormann every AI vulnerability company wants to find something juicy, and have no idea how to coordinate the findings
       
 (DIR) Post #B5rP2JkMFKZ6qIjffs by wdormann@infosec.exchange
       2026-05-01T02:01:08Z
       
       0 likes, 0 repeats
       
       @joshbressers @Viss If only there were human beings out there who had any sort of experience with coordinating vulnerabilities...  😂
       
 (DIR) Post #B5rP2KqQAH0eFOa1lQ by gregkh@social.kernel.org
       2026-05-01T08:16:54.617041Z
       
       0 likes, 0 repeats
       
       @wdormann @joshbressers @Viss I love it how people think that "coordination of vulnerabilities" is actually something that can be done these days.  Think of just who uses the software in question, and who should, and should not, be on such a list to get a "early disclosure notification".As I have said for quite some time now, all early-disclosure lists are leaks, otherwise why would your government allow them to be in existence?Software, and specifically open source software, runs the world.  So should the whole world be on that notification list?  :)
       
 (DIR) Post #B5rP2LVtg4BcK1z9Pc by zmanion@infosec.exchange
       2026-05-01T14:38:45Z
       
       0 likes, 0 repeats
       
       @gregkh @joshbressers @wdormann @Viss so there's absolutely no middle ground? When there is clearly a bug with security impact, give the distros list a week notice (two weeks max, per their policy). If it leaks, outcome is no worse than not notifying distros. The researcher can even do it instead of the kernel. At scale (Linux!) this seems like a Pareto distribution: major distros cover disproportionally most users.
       
 (DIR) Post #B5rP2MBNBrMaOfOH3o by gregkh@social.kernel.org
       2026-05-01T17:33:26.187898Z
       
       1 likes, 0 repeats
       
       @zmanion @joshbressers @wdormann @Viss Why is linux-distros somehow "special" enough to get these types of announcements and not everyone else?  How exactly would you explain that to your favorite government entity?
       
 (DIR) Post #B5ul478MtMX4ln6keO by joshbressers@infosec.exchange
       2026-05-03T00:58:51Z
       
       0 likes, 0 repeats
       
       @gregkh @wdormann @Viss This post got into my head. I think you're right, the days of coordination are overSo I wrote it downhttps://opensourcesecurity.io/2026/05-vulnerability-economics/
       
 (DIR) Post #B5ul48tCMjaQDK1fHc by wolf480pl@mstdn.io
       2026-05-03T08:44:41Z
       
       0 likes, 0 repeats
       
       @joshbressersAs a user, I don't care if my software has vulnerabilities, only if it has ones that the attackers know of.But if vulnerabilities are so plentiful, what's the chance of a security researcher finding the same vuln that an attacker would find? Is the idea that findng & reporting vulns makes us all more secure still true?@gregkh @wdormann @Viss
       
 (DIR) Post #B5vazU1jXne9wK7MNE by gregkh@social.kernel.org
       2026-05-03T06:23:28.183138Z
       
       0 likes, 0 repeats
       
       @joshbressers I will quote this in many presentations in the future because it is so true:"The Kernel assigns lots of CVEs. They say it’s because they don’t really know how the Kernel is being used, so they err on the side of caution. Companies hate this because they have to deal with a lot of CVEs. Does the Kernel do this because it’s easier or do they have some sort of secret nefarious reason? Probably because it’s just easier and they have zero downside to disclosing and moving on. "
       
 (DIR) Post #B5vazUqmU0ToUe07wO by buherator@infosec.place
       2026-05-03T17:30:55.059241Z
       
       0 likes, 0 repeats
       
       @gregkh @joshbressers What you are describing is called a "negative externality".
       
 (DIR) Post #B5vazVbDhLcuofjDKC by wolf480pl@mstdn.io
       2026-05-03T18:26:31Z
       
       0 likes, 0 repeats
       
       @buherator @joshbressers @gregkh I wouldn't call it an externality, since it only affects those who use Linux.It's not like you had a perfectly peaceful software ecosystem and suddenly someone started making Linux, which makes you suffer even if you don't use it.No, it only hurts you if you do use it, and the alternative is no Linux at all.
       
 (DIR) Post #B5xTeuIqLRXzzNHXYu by Suiseiseki@freesoftwareextremist.com
       2026-05-04T16:13:50.492605Z
       
       0 likes, 0 repeats
       
       @wolf480pl @buherator @joshbressers @gregkh It does not affect those who configure GNU Linux-libre correctly and don't have such bloated module compiled in.Many GNU/Linux distros don't seem to include such module - although Debian does.