Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87v7d4b7a3.fsf@gentoo.org>
Date: Sun, 03 May 2026 20:52:04 +0100
From: Sam James <sam@...too.org>
To: oss-security@...ts.openwall.com, Taeyang Lee <0wn@...ori.io>
Subject: Precise disclosure contents for copyfail (Re: 
 CVE-2026-31431: CopyFail: linux local privilege scalation)

Jan Schaumann <jschauma@...meister.org> writes:

> Hi,
>
> This is currently making the rounds and looks pretty
> severe:
>
> https://copy.fail/
>
> A local privilege escalation vulnerability with a
> working PoC python script exploiting a logic flaw in
> the kernel crypto API (AF_ALG) affecting most Linux
> distributions.
>
> More detailed write-up:
> https://xint.io/blog/copy-fail-linux-distributions
>
> [...]

Are we aware of what precisely xint disclosed to the kernel security
team?

My assumption based on the tool output in the write-up is that enough
was disclosed to know this was at least an easily-exploitable LPE (*).

(*) Because part of their promotion here is for the tool's ability to
get the analysis right, so it implies that they didn't figure it out
later, and that the tool did "most of the work". Whether or not that's
actually the case, I of course don't know.

thanks,
sam

Download attachment "signature.asc" of type "application/pgp-signature" (419 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.