VulnHub

Real-time Cybersecurity News

Copy.Fail Linux Vulnerability

Schneier on Security
LinuxExploitVulnerabilityPrivilege EscalationAmazonCanonicalSUSEDebian

Overview

A newly disclosed Linux vulnerability, dubbed 'copy.fail', poses a serious risk across multiple distributions, including Ubuntu, RHEL, Debian, SUSE, Amazon Linux, and Fedora. Revealed by Theori on April 29, 2026, this local privilege escalation flaw allows attackers to manipulate the Linux kernel's crypto API to write unauthorized data into the page cache of files they do not own. Importantly, the exploit does not modify files on disk, making it difficult for traditional monitoring tools like AIDE and Tripwire to detect. This vulnerability is concerning because it affects a wide range of systems without requiring any specific modifications for different distributions. Organizations using these Linux variants should prioritize assessing their security posture and applying necessary mitigations to protect against potential exploitation.

Key Takeaways

  • Affected Systems: Ubuntu, RHEL, Debian, SUSE, Amazon Linux, Fedora, and most other Linux distributions
  • Action Required: Organizations should assess their security posture and apply necessary mitigations, including monitoring system behavior and potentially implementing kernel patches as they become available.
  • Timeline: Disclosed on April 29, 2026

Original Article Summary

This is the worst Linux vulnerability in years. TL;DR copy.fail is a Linux kernel local privilege escalation, not a browser or clipboard attack. Disclosed by Theori on 29 April 2026 with a working PoC. It abuses the kernel crypto API (AF_ALG sockets) plus splice() to write four bytes at a time straight into the page cache of a file the attacker does not own. The exploit works unmodified across Ubuntu, RHEL, Debian, SUSE, Amazon Linux, Fedora and most others. No race condition, no per-distro offsets. The file on disk is never modified. AIDE, Tripwire and checksum-based monitoring see nothing. ...

Impact

Ubuntu, RHEL, Debian, SUSE, Amazon Linux, Fedora, and most other Linux distributions

Exploitation Status

The exploitation status is currently unknown. Monitor vendor advisories and security bulletins for updates.

Timeline

Disclosed on April 29, 2026

Remediation

Organizations should assess their security posture and apply necessary mitigations, including monitoring system behavior and potentially implementing kernel patches as they become available.

Additional Information

This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.

Related Topics: This incident relates to Linux, Exploit, Vulnerability, and 5 more.

Read Original Article

Related Coverage

Charter Communications Data Breach Could Impact Nearly 5 Million

SecurityWeek

Charter Communications is facing a significant data breach that may affect nearly 5 million individuals. The ShinyHunters group, known for its extortion tactics, leaked over 42 million records purportedly taken from Charter in April. This incident raises serious concerns about the security of personal information for those connected with the company. The leaked data could potentially include sensitive information, putting affected users at risk of identity theft and fraud. Companies must prioritize data protection measures to prevent such breaches and safeguard customer data.

May 29, 2026

Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit

The Hacker News

A threat actor has been exploiting a vulnerability in Marimo notebooks, specifically CVE-2026-39987, to gain unauthorized access. After taking control of a publicly accessible notebook, the attacker utilized a large language model (LLM) agent to carry out further actions. They extracted cloud credentials from the compromised system, which could potentially lead to additional breaches or data leaks. This incident raises concerns for organizations using Marimo products, as it demonstrates how quickly attackers can adapt and use advanced tools for post-exploitation activities. Companies must remain vigilant and ensure their systems are secured against such vulnerabilities.

May 29, 2026

From $5 Attacks to Botnet-Powered Platforms: Inside the DDoS-as-a- Service Market

BleepingComputer

DDoS attacks are now being commercialized as subscription services, with various pricing tiers and support options available. This change has transformed the DDoS landscape from a collection of basic tools into sophisticated platforms that can be accessed more easily by malicious actors. The article discusses how these services allow even those with limited technical skills to launch large-scale attacks against targeted websites or services. This trend poses a significant risk to businesses and organizations, as the accessibility of these services means that anyone can potentially disrupt online operations for a relatively low cost. The growing prevalence of DDoS-as-a-Service not only complicates the security landscape but also raises concerns about the potential for increased cybercrime.

May 29, 2026

Dutch govt disrupts malware botnet with 17 million infected devices

BleepingComputer

Dutch authorities have successfully dismantled a large botnet that had infected around 17 million devices. The operation involved taking down over 200 servers from a local hosting provider that were crucial to the botnet's functionality. This action is significant as such botnets can be used for various malicious activities, including launching distributed denial-of-service (DDoS) attacks and distributing spam or malware. The disruption not only impacts the cybercriminals behind the botnet but also helps protect the millions of devices that were compromised. By targeting the infrastructure supporting these attacks, the Dutch government aims to enhance overall internet security and reduce the risk of further exploitation of infected devices.

May 29, 2026

California Sues 23andMe, Alleging It Failed to Protect User Data in 2023 Breach

SecurityWeek

California's Attorney General Rob Bonta has filed a lawsuit against 23andMe, the genetic testing company, alleging that it failed to adequately protect user data following a breach earlier this year. The lawsuit comes after the company, now operating under the name Chrome Holding Co. due to bankruptcy proceedings, reportedly exposed sensitive information of its users. This breach raises significant concerns about data privacy and the responsibilities of companies handling personal information. If the allegations are proven, it could lead to stricter regulations and greater scrutiny of how personal data is managed in the biotech industry. Users who trusted 23andMe with their genetic information are particularly affected, as their sensitive data may have been compromised.

May 29, 2026

Man sent to prison for selling data of 7 millions elderly Americans

BleepingComputer

A man from North Carolina has been sentenced to over 10 years in prison for selling the personal data of more than 7 million elderly Americans to scammers based in Jamaica. The man, whose actions have raised concerns about privacy and security, provided sensitive information like names, addresses, and Social Security numbers. This breach not only puts the affected individuals at risk of identity theft but also highlights the ongoing issue of data exploitation in the digital age. Law enforcement officials emphasize the need for stronger protections for vulnerable populations, particularly the elderly, who are often prime targets for scams. The case serves as a reminder of the importance of safeguarding personal information and the severe consequences for those who exploit it.

May 29, 2026