Microsoft Issues Warning About Linux 'Copy Fail' Vulnerability (linux-magazine.com) 46
joshuark shares a report from Linux Magazine: Microsoft has issued a warning that a vulnerability with a CVSS score of 7.8 has been found in the Linux kernel. The vulnerability in question is tagged CVE-2026-31431 and, according to the Cybersecurity and Infrastructure Security Agency (CISA), "This Linux Kernel Incorrect Resource Transfer Between Spheres Vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise."
The distributions affected are Ubuntu, Red Hat, SUSE, Debian, Fedora, Arch Linux, and Amazon Linux. This could also affect any distribution based on those in the list, which means pretty much every Linux distro that isn't independent. The flaw is found in the Linux kernel cryptographic subsystem's algif_aead module of AF_ALG. The problem is that a particular optimization has led to the kernel reusing the source memory as the destination during cryptographic operations. What this means is that attackers can take advantage of interactions between the AF_ALG socket interface and a splice() system call. Until patches are released, Microsoft is advising that the affected crypto feature should be disabled, or AF_ALG socket creation should be blocked. The vulnerability is also known as "Copy Fail," which has been shared on Slashdot and detailed in a technical report. The vulnerability affects almost every version of the Linux OS and is now being exploited in the wild. U.S. cybersecurity agency CISA has ordered all civilian federal agencies to patch any affected systems by May 15.
The distributions affected are Ubuntu, Red Hat, SUSE, Debian, Fedora, Arch Linux, and Amazon Linux. This could also affect any distribution based on those in the list, which means pretty much every Linux distro that isn't independent. The flaw is found in the Linux kernel cryptographic subsystem's algif_aead module of AF_ALG. The problem is that a particular optimization has led to the kernel reusing the source memory as the destination during cryptographic operations. What this means is that attackers can take advantage of interactions between the AF_ALG socket interface and a splice() system call. Until patches are released, Microsoft is advising that the affected crypto feature should be disabled, or AF_ALG socket creation should be blocked. The vulnerability is also known as "Copy Fail," which has been shared on Slashdot and detailed in a technical report. The vulnerability affects almost every version of the Linux OS and is now being exploited in the wild. U.S. cybersecurity agency CISA has ordered all civilian federal agencies to patch any affected systems by May 15.
Re:Friendly reminder (Score:5, Informative)
First, the report is a few days late....
Second, the /etc/modprobe.d mitigation DOES NOT WORK on Red Hat Enterprise Linux. The affected module is compiled into the kernel, and must be disabled using kernel boot parameters.
/proc/cmdline | grep initcall_blacklist
implement: grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"
reboot required
verify: cat
revert: grubby --update-kernel=ALL --remove-args="initcall_blacklist=algif_aead_init"
Kernel updates for RHEL 8,9 and 10 have been released. Ubuntu hasn't released anything except kmod fixes yet.
Re: (Score:2)
Why?
Re: Friendly reminder (Score:3)
Re: (Score:1)
No. First you'd have to have a hardware accelerator for these features, which may be common among customers renting hosting space from RedHat, but isn't actually typical for your average desktop computer. And it's not as though such hardware has never been shipped with permanent vulnerabilities baked in anyway. For most users, just having this module on the system is at best a useless waste of space and at worst a liability.
Re: Friendly reminder (Score:2)
Hm? Wasnâ(TM)t AES-NI introduced in Sandy Bridge?
Re:Friendly reminder (Score:4, Insightful)
My uptime, on the machine I'm posting from, is nearing a year, and this module has never been loaded. So, no, 100% of users apparently don't need this, at all.
Re: (Score:2)
>> Because it's tiny and gives hardware acceleration to a function 100% of users need.
> My uptime, on the machine I'm posting from, is nearing a year, and this module has never been loaded. So, no, 100% of users apparently don't need this, at all.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
Re: (Score:2)
SSH, HTTPS, scp, likely any protocol ending in an S in fact.
SSH can work very well with non-aes primitives, with chacha20 being both more secure and faster
The major distros however don't tend to do "custom distro" for you.
They generate various keys using AES on first install. They want you to either have an Internet capable system or at least be able to apt-get install a web browser.
Please show your work that any major distro creates ANY aes key on install. If you are conflating ssh key with AES, then see above.
So the real answer to your question is, why wouldn't you want a pre-loaded driver to use your systems hardware accelerated AES?
1) Because outside WDE, AES is not often used in any performance critical way for 99% of users
2) Because AES-NI is not universally trusted
3) Because in most places where AES previously was beneficial, there are now faster and more secure algos
4) Because every compiled-in default is at
Re: (Score:2)
Because this vulnerability impacts a large swath of Linux devices, it is strongly recommended to do the following:
Re: (Score:3)
The Microsoft article was posted on May 1st [archive.org] and links to the Red Hat article (for which the solution is behind their paywall). And directs people to apply the vendor's patches or guidance if possible instead of manual settings changes.
Re: Friendly reminder (Score:2)
While you're at it, you also need to block installing esp4, esp6, and rxrpc, for, y'know, reasons.
What gives? (Score:3)
This is literally the third /. mention of this in a very short period of time, nevermind the fact that it's been broadcast literally everywhere and is the biggest security vuln found since sliced bread (or heartbleed). It's been fixed and available for "ages" now on every major distro.
Re:What gives? (Score:4, Insightful)
This is literally the third /. mention of this in a very short period of time, nevermind the fact that it's been broadcast literally everywhere and is the biggest security vuln found since sliced bread (or heartbleed). It's been fixed and available for "ages" now on every major distro.
One would almost begin to suspect that there is a vested interest in making Linux appear to be far more vulnerable than the "alternatives" to Linux.
Re:What gives? (Score:4, Informative)
Not for ages. Less than a week. For many, that's not time enough to get the patch.
OTOH, it's a local vulnerability, so many systems aren't affected. I've got one that hasn't been hooked up to the internet in well over a month, and it won't be affected until the next time it's hooked up. (I may do a reinstall before then.)
Re: (Score:2)
We keep acting like we're still in the world of bare metal and VM based servers. But so much of the world is running on containerized (kubernetes, docker, etc) and lambda compute nowdays, and thats where these sorts of bugs get dangerous. It takes one docker container running a shitty unpatched version of wordpress or some nodejs slop and you have your platform for bypassing the containers CG Group and pwning the kernel, granting access to po
Re: (Score:2)
Also, the larger companies are more likely to update their own equipment. (Yeah, not always. Sigh.) But I was more thinking of small devices, often embedded, that aren't usually updated.
Re: (Score:2)
Also, why the fuck is it news that Microsoft is posting about it? TFS or TFA give absolutely no indication as to why.
This is just a dupe, nothing more.
Re: (Score:2, Funny)
Also, why the fuck is it news that Microsoft is posting about it? TFS or TFA give absolutely no indication as to why.
This is just a dupe, nothing more.
Because M$ is THE EXPERT on vulnerabilities.
Re: (Score:2)
our apologies, sir. would you prefer a slashvertisement instead?
Re:What gives? (Score:4, Interesting)
Re: (Score:2)
That is literally ages in 2026 internet time. The world itself moves much faster. Entire nations have been toppled in less than a day, in the past year. A week is an eternity to wait to mention something like this, particularly when it's literally just a repost of something that was posted a week ago.
Pffft... (Score:5, Informative)
Old news and 3 times on Slashdot. The new kids have already moved on to Dirty Frag [github.com], a new Linux local privilege escalation vulnerability.
Re: (Score:3)
The new kids have already moved on to Dirty Frag [github.com], a new Linux local privilege escalation vulnerability.
Question is, who's the jackass that broke the embargo on this one?
Not news (Score:5, Informative)
The article doesn't even link to the Microsoft article [microsoft.com], which is on the Microsoft Defender blog. This isn't a huge surprise since that's Microsoft's security product that covers cloud servers including in Azure, AWS and GCP [microsoft.com].
So the sub-text of this being Microsoft pointing out Linux vulns is pretty silly since Microsoft makes a lot of money off of people running Linux on their cloud and on their competitors' kit. Outside of that, the rest of this has already been covered.
Re:Not news (Score:4, Insightful)
So the sub-text of this being Microsoft pointing out Linux vulns is pretty silly since Microsoft makes a lot of money off of people running Linux on their cloud and on their competitors' kit.
It's not silly at all precisely FOR this reason. Microsoft not only ships Linux, but WSL distros are also affected (as of right now if you install Ubuntu from the Microsoft store you will be vulnerable). Also read the Microsoft article you linked. Microsoft is pointing this out because Defender has been updated to help scan for CopyFail exploitation toolkits as well as identify vulnerable systems in your enterprise environemnt.
Why is it silly for Microsoft's Defender team to literally do the job you pay them to do and publish advisories on their software updates?
Just wait until they discover dirty frag (Score:1)
https://dirtyfrag.io. Nearly the same vulnerability, different access vector.
They are a bit late (Score:2)
Anybody competent has already patched it or at least done the temporary fix.
Disinformation at its finest. (Score:3, Insightful)
If MS was being honest here, they would have stated that OUT OF DATE Linux is vulnerable.
Unlike MS, the Linux community fixes their issues and moves on.
Re: (Score:2, Insightful)
If MS was being honest here, they would have stated that OUT OF DATE Linux is vulnerable.
Unlike MS, the Linux community fixes their issues and moves on.
False. Not only are there several distributions which have not yet rolled out a fix, but there are several distributions available in the Windows Store *right now* for WSL2 which are vulnerable.
There's nothing dishonest about what MS said, only the framing of articles talking about what MS said. MS stuck 100% to the facts and their release on Defender updates for enterprise specifically mentions what it is they are detecting.
Unlike MS, the Linux community fixes their issues and moves on.
That is horseshit on both accounts. The world is full of vulnerable unpatched Linux
Old News (Score:3)
My server got compromised last week by this, Slashdot is quite far behind.
There's two new exploits in the Copy Fail class that do privilege escalation everyone should be worried about on shared servers. Copy Fail 2: Electric Boogaloo (https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo) and Dirty Frag (https://github.com/V4bel/dirtyfrag)
I am rather disappointed that Ubuntu sat on these LPEs for a month without releasing a fix.
MS linux issues (Score:1)
Re: (Score:3)
Microsoft embraced Linux years ago. And so far, no sign of "extend". WSL2 is awesome.
Nadella is no Balmer.