[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20260501165221.27420-1-justin.swartz@risingedge.co.za>
Date: Fri, 1 May 2026 18:52:19 +0200
From: Justin Swartz <justin.swartz@...ingedge.co.za>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2026-31431: CopyFail: linux local privilege scalation
On Fri, 2026-05-01 at 11:08 -0400, Reid Sutherland wrote:
> Does anything load the vulnerable module by default or not? If not,
> this should be low-rated IMO.
An unprivileged user requesting an AF_ALG socket will trigger the kernel
module autoloader:
$ su -l
Password:
# cat > /root/modprobe << "EOF"
#!/bin/sh
echo "$(date -u) modprobe $@" >> /tmp/modprobe.log
exec /sbin/modprobe "$@"
EOF
# chmod 700 /root/modprobe
# cat /proc/sys/kernel/modprobe
/sbin/modprobe
# echo "/root/modprobe" > /proc/sys/kernel/modprobe
# cat /proc/sys/kernel/modprobe
/root/modprobe
# exit
$ lsmod | grep aead | wc -l
0
$ date -u && ./copy_fail_exp.py
Fri 01 May 2026 16:08:24 UTC
# cat /tmp/modprobe.log
Fri May 1 16:08:24 UTC 2026 modprobe -q -- net-pf-38
Fri May 1 16:08:24 UTC 2026 modprobe -q -- algif-aead
# lsmod | grep aead
algif_aead 16384 0
af_alg 36864 1 algif_aead
# echo "/sbin/modprobe" > /proc/sys/kernel/modprobe
# cat /proc/sys/kernel/modprobe
/sbin/modprobe
# exit
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
