CopyFail Was Not Disclosed to Distros

https://www.openwall.com/lists/oss-security/2026/04/30/10

42•ori_b•1h ago

Comments

xeeeeeeeeeeenu•13m ago

For context, the author of the linked post, Sam James, is a Gentoo developer.

Anyway, this is a disaster. It was extremely irresponsible to share the exploit with the world before the distributions shipped the fix. Who knows how many shared hosting providers were hacked with this.

It's also worrying that it seems there's no communication between the kernel security team and distribution maintainers. One would hope that the former would notify the latter, but apparently it's the responsibility of whoever finds the vulnerability.

shimman•10m ago

Expecting people to do the right thing is a fundamental issue here. Why would you ever expect for all of vulnerabilities to be disclosed privately? There's very little actual incentive to do this.

I'm honestly unaware of what systems could be put in place to prevent this but expecting people to always do the right thing is fantasy level thinking. I mean I bet the disclosers that they would during the right thing, hence why it's a bad thing to rely on.

baggy_trough•8m ago

Why wouldn't the linux security team notify the main linux distributions?

ectospheno•10m ago

The Bleeping Computer link below mentions a potential remedy until a patch is ready.

https://www.bleepingcomputer.com/news/security/new-linux-cop...

jayofdoom•6m ago

This workaround only applies to kernels with the impacted code compiled as a module. RHEL, Fedora, and Gentoo (we use a modified Fedora config) all are configured to build this in directly. Without a patch or config change (as Sam from Gentoo was alluding to), those distributions remain vulnerable.

holowoodman•5m ago

The potential remedy doesn't work on RedHat and derivatives because the affected code is not a module there but statically compiled in.

semiquaver•5m ago

> Note that for Linux kernel vulnerabilities, unless the reporter chooses to bring it to the linux-distros ML, there is no heads-up to distributions.

Why would they imply it is incumbent on the reporter to liaise with distributions? That seems an excessively high level of familiarity with the internal structure of Linux to assume. Reporter did more than enough by responsibly disclosing it to linux and waiting for a patch to land.

Aren’t there people in the linux project itself with authority over and responsibility for security vulnerabilities? One would think they would be the ones notifying downstream distros…

Benchmarking Local LLM/Harness Combinations

Cyborg Evals

Real Linux. In a browser tab. No install. No server. No Docker

The Evolution of Open Source with Kelsey Hightower [video]

Anthropic wants to be the AWS of agentic AI

Tess Observations

What is Windows K2? Inside Microsoft's big plan to save Windows 11

What Happens in the First 24 Hours After a New Asset Goes Live

Ukraine Bets on Battlefield AI

Monthly News – April 2026

Coding agents expose this: same VPS, 3 runs, ~65% drift

The Enhanced Games, Where Athletes Compete on Steroids, HGH, Adderall

Difference between good debt and bad debt

Digging into Claude Code and codex source codes to understand how they work

From items to users: Rebuilding Plaid's API in flight

Palantir's Al Targeting System Running the Iran War [video]

The Alice and Bob After Dinner Speech

IBM Selectric

A Year on an E-Reader

Paraconsistent Logic (Substantive Revision)

SFO Gate Explorer

Greptile's New Pricing Is Predatory

Before DevRel Was a Thing

The invisible force making food less nutritious

Introducing Stage: Engineers deserve a better code review platform

More Tokens Isn't More Intelligence

AI On-Call Engineer That Fixes Prod While I Sleep

Show HN: Milkdrop Visualizations with WASM+WebGPU [TW: flashing lights]

Granite 4.1 LLMs: How They're Built

Main quests, subquests, side quests and minigames