Edited by humans. Written by AI. How our editing works
All articles

Copy.fail: The Linux Exploit That Works on Every Distro

A new privilege escalation vulnerability dubbed copy.fail affects all Linux distributions since 2017. Here's how the exploit actually works.

Tyler Nakamura

Written by AI. Tyler Nakamura

May 3, 20265 min read
Share:
A concerned man with glasses holds his hands to his face beside logos of 20+ Linux distributions with "HACKED" in red text…

Photo: AI. Kai Hargrove

There's a new Linux vulnerability making the rounds, and it's the kind that makes security researchers go "wait, what?" It's called copy.fail, and if you've been running Linux since 2017—which, let's be real, is basically everyone—your system is vulnerable to local privilege escalation.

The wild part? It's a single 732-byte Python script that works on every single distribution of Linux. No distro-specific patches needed. No kernel version targeting. Just run it, and boom—root access.

What Makes This Different

Most privilege escalation exploits are finicky. They rely on specific timing windows, particular kernel offsets, or version-specific quirks. You need different exploits for Ubuntu vs. Fedora vs. Arch. Not this one.

Copy.fail is what's called a logic bug—a fundamental flaw in how the kernel handles certain operations. The Low Level channel's demonstration took about two hours of research to fully understand, and honestly, that tracks. This isn't your standard buffer overflow or race condition. It's a beautiful, terrible exploit that abuses Linux's cryptographic socket subsystem in a way that nobody saw coming.

"Copy.fail is a local privilege escalation," the presenter explains. "This is a vulnerability that requires you to have access on a computer already, but if you're there on any version of Linux since 2017, you could use this vulnerability to escalate up to root."

So yeah, if an attacker already has a foothold on your system—maybe through a compromised service account or a phishing attack—this is their golden ticket to complete control.

How It Actually Works

The exploit targets something called the AF_ALG socket, which is Linux's way of letting userspace programs access kernel-level cryptographic algorithms. This is actually a good feature in theory—you shouldn't roll your own crypto, and the kernel might have hardware acceleration that makes encryption faster.

Here's where it gets technical, but stay with me because the cleverness is worth it.

Linux sockets use scatter lists to track where data lives in memory—linked lists of pages, offsets, and lengths. When you send data through a socket, the kernel needs to know which physical memory pages contain your data. Input scatter lists track what you're sending; output scatter lists track what comes back.

The AF_ALG socket handles authenticated encryption with associated data (AEAD), which combines encryption with authentication. Think of it like sending a locked box where you also know who sent it. The kernel expects data in a specific order: authenticated data, encrypted payload, then authentication tags.

Normally, input scatter lists are read-only from the kernel's perspective. But back in 2017, someone made an optimization: for performance reasons, the kernel started using a reference to the tags page as the output location for crypto operations. The input and output scatter lists pointed to the same memory.

That optimization is the crack in the foundation.

The Splice Trick

The exploit uses a Linux system call called splice(), which pipes data from one file descriptor into another. Here's the clever bit: instead of sending all the required data through normal channels, the exploit sends the authenticated data and encrypted payload normally, then uses splice() to append a page from a completely different file—specifically, /usr/bin/su, the setuid binary that lets users switch to root.

"What splice allows you to do is take a pipe and pipe the data associated with a file descriptor and pipe it into a socket," the presenter explains. "What that allows you to do is take a page and append it to an input scatter list."

When the cryptographic algorithm runs, it writes temporary scratch data—just four bytes at a time—into what it thinks is its normal workspace. But because of the splice operation, those four bytes are actually being written into the cached memory page for /usr/bin/su.

The attacker can control exactly which offset those four bytes land at. Write at offset 0, then offset 4, then offset 8, gradually overwriting the entire binary in the kernel's page cache. Not on disk—just in memory.

When the exploit finally executes /usr/bin/su, the kernel doesn't reload it from disk. It already has a cached version in memory. Except that cached version is now shellcode. And because the kernel still sees it as the original setuid binary, it runs that shellcode as root.

Bada bing, bada boom—root access without entering a password.

What This Means for Real Systems

The demonstration showed this working on a system from March 27th, 2024. The vulnerability has been lurking since 2017. That's seven years of exposure.

To be clear: this is a local privilege escalation, not remote code execution. An attacker needs some level of access to your system first. But in the real world, that's not much of a barrier. Compromised credentials, vulnerable services, supply chain attacks—there are plenty of ways to get that initial foothold. Once someone's in, copy.fail hands them the keys to the kingdom.

The fix involves reverting the 2017 optimization that made input and output scatter lists share memory. There's a mainline kernel commit (A664B) that addresses it. If the AEAD module is compiled separately as a loadable kernel module, you can disable it entirely and prevent it from loading on boot.

But here's the thing about logic bugs: they don't show up in automated testing the same way memory corruption issues do. They're design flaws, not implementation mistakes. Someone had to think really hard about how these systems interact to find this.

That's both encouraging and terrifying. Encouraging because it means the exploit required genuine ingenuity. Terrifying because it means there might be other logic bugs hiding in plain sight, waiting for someone clever enough to connect the dots.

For now, patch your systems. Check your kernel versions. And maybe rethink your assumption that local privilege escalation is a minor concern. In a world where attackers move from initial compromise to full domain control in under an hour, every escalation path matters.

—Tyler Nakamura

From the BuzzRAG Team

We Watch Tech YouTube So You Don't Have To

Get the week's best tech insights, summarized and delivered to your inbox. No fluff, no spam.

Weekly digestNo spamUnsubscribe anytime

More Like This

Two professionals in a PM interview discussion with purple branding and "2x Product Growth" header text visible

Strategies for Converting Grammarly's Free Users to Paid Subscribers

Explore strategies for doubling Grammarly's paid subscribers through user insights, growth funnel tactics, and retention strategies.

Tyler Nakamura·6 months ago·3 min read
Developer in glasses reacting with hands on face while reviewing code for an RCE exploit module on screen

Unpacking 2026's First Major Security Bug

Explore the critical HPE1 view bug, a 10.0 CVSS vulnerability disrupting corporate management.

Tyler Nakamura·6 months ago·4 min read
Four men's headshots against black background with yellow banner reading "Opus 4.6 Crushes Benchmarks" and names labeled…

Claude Opus 4.6 Found 500+ Critical Bugs in Open Source

Anthropic's Claude Opus 4.6 discovered over 500 high-severity vulnerabilities in open-source code. What this means for software security going forward.

Rachel "Rach" Kovacs·5 months ago·6 min read
Man wearing glasses with skeptical expression next to notepad with red "HACKED?" text banner on black background

Windows Notepad Bug Shows Why Simple Apps Should Stay Simple

A new Windows 11 Notepad vulnerability reveals how feature bloat creates security risks in tools that used to be perfectly simple.

Tyler Nakamura·5 months ago·5 min read
Man with glasses looking shocked next to red and white logo with "HACKED" text on black background

Trend Micro's Vulnerability: A Hacker's Dream?

Exploring Trend Micro’s Apex Central flaw, zero trust, and the debate around Rust in cybersecurity.

Mike Sullivan·6 months ago·3 min read
Man wearing glasses with confused expression next to computer terminal displaying hexadecimal code and "WTF..." text

This VoIP Phone Vulnerability Is Straight Out of 1995

A critical security flaw in Grandstream office phones exposes the persistent gap between consumer device expectations and embedded systems reality.

Bob Reynolds·5 months ago·6 min read
Man wearing glasses with skeptical expression beside text "TOO GOOD TO RELEASE?" against black background with decorative…

Anthropic's Claude Mythos Found Thousands of Zero-Days

Anthropic's new Claude Mythos AI discovered thousands of zero-day vulnerabilities, prompting a defensive security initiative before public release.

Tyler Nakamura·3 months ago·6 min read
Multiple rockets launching diagonally across a space background with planets and constellations, featuring gear symbols and…

Async Rust Performance: What Most Developers Get Wrong

Code to the Moon breaks down async Rust and Tokio misconceptions that kill performance. Single-threaded concurrency vs parallelism explained.

Tyler Nakamura·3 months ago·6 min read

RAG·vector embedding

2026-05-03
1,376 tokens1536-dimmodel text-embedding-3-small

This article is indexed as a 1536-dimensional vector for semantic retrieval. Crawlers that parse structured data can use the embedded payload below.