The most severe Linux threat to surface in years catches the world flat-footed
The most severe Linux threat to surface in years catches the world flat-footed
近年来最严重的 Linux 威胁浮出水面,全球措手不及
Publicly released exploit code for an effectively unpatched vulnerability that gives root access to virtually all releases of Linux is setting off alarm bells as defenders scramble to ward off severe compromises inside data centers and on personal devices. 针对一个几乎未修复的漏洞,其公开的漏洞利用代码可赋予攻击者几乎所有 Linux 版本的 root 权限。这一消息引发了警报,安全防御者们正争分夺秒地防止数据中心和个人设备遭受严重入侵。
The vulnerability and exploit code that exploits it were released Wednesday evening by researchers from security firm Theori, five weeks after privately disclosing it to the Linux kernel security team. The team patched the vulnerability in versions 7.0, 6.19.12, 6.18.12, 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254, but few of the Linux distributions had incorporated those fixes at the time the exploit was released. 该漏洞及其利用代码由安全公司 Theori 的研究人员于周三晚间发布,此前他们已私下向 Linux 内核安全团队披露了五周。该团队已在 7.0、6.19.12、6.18.12、6.12.85、6.6.137、6.1.170、5.15.204 和 5.10.254 等版本中修复了该漏洞,但在漏洞利用代码发布时,很少有 Linux 发行版集成了这些修复程序。
A single script hacks all distros
单一脚本即可攻破所有发行版
The critical flaw, tracked as CVE-2026-31431 and the name CopyFail, is a local privilege escalation, a vulnerability class that allows unprivileged users to elevate themselves to administrators. CopyFail is particularly severe because it can be exploited with a single piece of exploit code—released in Wednesday’s disclosure—that works across all vulnerable distributions with no modification. 这一关键漏洞被追踪为 CVE-2026-31431,代号为“CopyFail”,属于本地提权漏洞,即允许非特权用户将自身权限提升为管理员。CopyFail 的严重性在于,它只需一段在周三披露时发布的漏洞利用代码,无需任何修改即可在所有受影响的发行版上运行。
With that, an attacker can, among other things, hack multi-tenant systems, break out of containers based on Kubernetes or other frameworks, and create malicious pull requests that pipe the exploit code through CI/CD work flows. 利用这一点,攻击者可以入侵多租户系统、从基于 Kubernetes 或其他框架的容器中逃逸,并创建恶意拉取请求(pull requests),将漏洞利用代码注入 CI/CD 工作流中。
“‘Local privilege escalation’ sounds dry, so let me unpack it,” researcher Jorijn Schrijvershof wrote Thursday. “It means: an attacker who already has some way to run code on the machine, even as the most boring unprivileged user, can promote themselves to root. From there they can read every file, install backdoors, watch every process, and pivot to other systems.” “‘本地提权’听起来很枯燥,让我来解释一下,”研究员 Jorijn Schrijvershof 周四写道。“这意味着:一个已经有办法在机器上运行代码的攻击者,即使只是一个最普通的非特权用户,也可以将自己提升为 root 用户。从那里,他们可以读取所有文件、安装后门、监视所有进程,并横向移动到其他系统。”
Schrijvershof added that the same Python script Theori released works reliably for Ubuntu 22.04, Amazon Linux 2023, SUSE 15.6, and Debian 12. The researcher continued: Why does that matter on shared infrastructure? Because “local” covers a lot of ground in 2026: every container on a shared Kubernetes node, every tenant on a shared hosting box, every CI/CD job that runs untrusted pull-request code, every WSL2 instance on a Windows laptop, every containerised AI agent given shell access. They all share one Linux kernel with their neighbours. A kernel LPE collapses that boundary. Schrijvershof 补充说,Theori 发布的同一个 Python 脚本在 Ubuntu 22.04、Amazon Linux 2023、SUSE 15.6 和 Debian 12 上都能可靠运行。该研究员继续说道:为什么这在共享基础设施上很重要?因为在 2026 年,“本地”涵盖了广泛的范围:共享 Kubernetes 节点上的每个容器、共享主机上的每个租户、运行不受信任拉取请求代码的每个 CI/CD 作业、Windows 笔记本电脑上的每个 WSL2 实例、获得 shell 访问权限的每个容器化 AI 代理。它们都与邻居共享同一个 Linux 内核。内核本地提权(LPE)会彻底打破这一边界。
The vulnerability stems from a “straight-line” logic flaw in the kernel’s crypto API. Many exploits exploiting race conditions and memory corruption flaws don’t consistently succeed across kernel versions or distributions, and sometimes even on the same machine. Because the code released for CopyFail exploits a logic flaw, “reliability isn’t probabilistic, and the same script works across distributions,” researchers from Bugcrowd wrote. “No race window, no kernel offset.” 该漏洞源于内核加密 API 中的一个“直线型”逻辑缺陷。许多利用竞争条件和内存损坏缺陷的漏洞在不同内核版本或发行版之间并不总是能成功,有时甚至在同一台机器上也不行。由于 CopyFail 利用的是逻辑缺陷,“其可靠性不是概率性的,同一个脚本可以在不同发行版上运行,”Bugcrowd 的研究人员写道。“没有竞争窗口,也不需要内核偏移量。”
CopyFail gets its name because the authencesn AEAD template process (used for IPsec extended sequence numbers) doesn’t actually copy data when it should. Instead, it “uses the caller’s destination buffer as a scratch pad, scribbles 4 bytes past the legitimate output region, and never restores them,” Theori said. “The ‘copy’ of the AAD ESN bytes ‘fails’ to stay inside the destination buffer.” CopyFail 得名于 authencesn AEAD 模板进程(用于 IPsec 扩展序列号)在应该复制数据时并没有真正执行复制。相反,Theori 表示,它“将调用者的目标缓冲区用作草稿板,在合法输出区域之外乱写 4 个字节,且从不恢复它们。AAD ESN 字节的‘复制’未能留在目标缓冲区内。”
The worst Linux vuln in years
近年来最严重的 Linux 漏洞
Other security experts echoed the perspective that CopyFail poses a serious threat, with one saying it’s the “worst make-me-root vulnerabilities in the kernel in recent times.” The most recent such Linux vulnerability was Dirty Pipe from 2022 and Dirty Cow in 2016. Both of those vulnerabilities were actively exploited in the wild. 其他安全专家也认同 CopyFail 构成严重威胁的观点,其中一人称其为“近期内核中最严重的提权漏洞”。最近类似的 Linux 漏洞是 2022 年的 Dirty Pipe 和 2016 年的 Dirty Cow。这两个漏洞在当时都曾被广泛利用。
“The org doing the disclosure… did an absolutely terrible job of vulnerability coordination,” Will Dormann, a senior principal vulnerability analyst at Tharros Labs, said in an interview. “What is mind boggling to me is that in their writeup they both: A) list 4 affected vendors, and B) tell readers to apply vendor patches. But before firing away with the publication, they didn’t bother to see if ANY of the vendors that they list ACTUALLY HAVE PATCHES. (None do).” “负责披露的组织……在漏洞协调方面做得非常糟糕,”Tharros Labs 的高级首席漏洞分析师 Will Dormann 在采访中表示。“让我感到震惊的是,他们在报告中既:A) 列出了 4 家受影响的供应商,又 B) 告诉读者应用供应商补丁。但在发布之前,他们甚至懒得去确认他们列出的任何供应商是否真的有补丁。(实际上一个都没有)。”
Distributions known to have patched the vulnerability included Arch Linux and RedHat Fedora. Those known to have released mitigation guidance at the time this post went live include: SUSE, RedHat, and Ubuntu. People seeking the status of other distributions should check with the respective vendors. 已知已修复该漏洞的发行版包括 Arch Linux 和 RedHat Fedora。截至本文发布时,已知发布了缓解指南的包括:SUSE、RedHat 和 Ubuntu。寻求其他发行版状态的用户应咨询各自的供应商。
Theori said that it discovered the vulnerability after its researcher, Taeyang Lee, found surface area in the crypto subsystem had been underexplored. Using its AI-powered Xint code security tool, the researchers then found the bug after about an hour of scan time. The company said it has also developed an exploit that uses CopyFail to break out of Kubernetes containers. The severity of the threat posed by CopyFail and the likelihood of active exploitation is high enough to warrant all Linux users to investigate their systems immediately. Theori 表示,其研究人员 Taeyang Lee 发现加密子系统中的攻击面未被充分探索,从而发现了该漏洞。研究人员使用其人工智能驱动的 Xint 代码安全工具,在扫描约一小时后发现了该漏洞。该公司称,他们还开发了一种利用 CopyFail 从 Kubernetes 容器中逃逸的漏洞利用程序。CopyFail 构成的威胁严重性及其被主动利用的可能性极高,足以促使所有 Linux 用户立即检查其系统。