The binary "zip" isn't the exploit, it's the shellcode. The exploit is the rest, which changes the code of a SUID executable (su).

It makes sure people don't forget about the vulnerabilities, at least

Same reason they name storms, numbers scare normies

Probably to some extent it is marketing, but generally it has to do with significant bug finds to get the message out to the people who need to apply patches and/or be informed. Heartbleed, Log4Shell, etc.

Very few CVE’s get names dedicated to them like this, because usually when they do - it is very serious, as in this case.

can you remember what CVE-2021-44228 is without looking it up? CVE-2014-6271? CVE-2017-5753?

i bet if i told you their names, you would instantly know what vulns those are.

its easier to talk about things with names. it hurts no one. it takes approximately no effort or time.

CVEs are, for whatever reason, like the only thing on the planet that people seem to have a problem with when they receive a name. i am not sure why.

The AI generated prose screams marketing. Marketing is why there's a "Contact our Security Team" form at the bottom of the page.

It's an advertisement for their tool that found the exploit: https://copy.fail/#contact, https://xint.io/products/xint-code

Yes, originally it was to help spread awareness. Now it has become more of a gimmick I would say

Giving catchy names for bad exploits has been a thing for a while. Probably to make sure it's easy to reference and make sure you're patches as opposed to passing numbers around. Heartbleed, Shellshock, BEAST, Goto Fail, etc

It's certainly marketing, but it's prosocial: there's no scarcity of names, and "copy.fail" is much easier to remember and talk about than "CVE-2026-31431".

7.0-rc1 has a tag with it:

    % git describe a664bf3d603d
    v7.0-rc1-10-ga664bf3d603d

I suspect this means the stable 7.0 has it too.

Yes I would imagine lots of those type of services would be vulnerable if they hadn't updated to the latest kernel versions.

I just tested on my home server running ubuntu 24.04 LTS with newest kernel from repositories, got root.

This can likely be shipped as binary code without dependencies like python, as the bug is in the kernel.

There's nothing specific about this related to Python, that's just demonstrating how it works.

This is usable anywhere on an affected Kernel version

Major os vendors will publish pages with the fixed versions:

https://security-tracker.debian.org/tracker/CVE-2026-31431

https://ubuntu.com/security/CVE-2026-31431

Also, disabling algif_aead is suggested as mitigation

same result on my arch machine as well.

yes, it was reported on march 23rd, patches on april 1.

you are reading about it now because it has been patched.

    2026-03-23Reported to Linux kernel security team
    2026-03-24Initial acknowledgment
    2026-03-25Patches proposed and reviewed
    2026-04-01Patch committed to mainline
    2026-04-22CVE-2026-31431 assigned
    2026-04-29Public disclosure (https://copy.fail/)

Android is smarter than setuid + system partitions aren't writable.

I’ve poked around on my phone and it didn’t work:

    File "/data/data/com.termux/files/home/a.py", line 5, in c
      a=s.socket(38,5,0); # ...
    File "/data/data/com.termux/files/usr/lib/python3.13/socket.py", line 233, in __init__
      _socket.socket.__init__(self, family, type, proto, fileno)
      ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  PermissionError: [Errno 13] Permission denied

> This is amazing. Page says it works on RHEL 14.3, which doesn’t exist. Current RHEL is 10.x, this must’ve been done in a TARDIS.

Indeed. "Distributions we directly verified: RHEL 14.3". Directly verified by me to be AI slop (the release page at least).

https://access.redhat.com/articles/red-hat-enterprise-linux-...

> Talk to our security experts

(at the bottom of the page)

I have a sneaking suspicion his first name is Claude. Don't get me wrong though, he is pretty good I hear.

On the same line it says kernel version 6.12.0-124.45.1.el10_1. Which is RHEL 10. This is the kind of typo that humans make -- the hard to type numbers are accurate because they're cut and pasted, but the "easy" numbers have errors because they're not cut and pasted.

The page explicitly describes that it stealthy as it does not make permanent changes, only corrupting the binary in memory.

Analysis of the POC concurs with my tests that confirm that the portion of `su` that gets overwritten does not survive a reboot.

Did you try it on systems that don't have the patch already? Seems many distributions already shipped kernels with the patch ~a month ago.

Their PoC does as you say, but is built upon arbitrary modification of the page cache, which could be abused for the other things

If you can get to real UID 0 from a rootless container, you can escape it, but you do need to take extra steps. Same with it working on Alpine: the underlying vulnerability probably still exists, but the script might need some adjusting. It's a PoC, not a full exploit for every situation.

>The website claims it can escape "Kubernetes / container clusters" and "CI runners & build farms" but I don't see anything supporting the claim it can escape a container

they state that the write-up is forthcoming. presumably there is some additional steps or modifications that will be detailed in the 'part 2'.

"Next: "From Pod to Host," how Copy Fail escapes every major cloud Kubernetes platform."