36 comments

[ 0.28 ms ] story [ 57.4 ms ] thread
For context, the author of the linked post, Sam James, is a Gentoo developer.

Anyway, this is a disaster. It was extremely irresponsible to share the exploit with the world before the distributions shipped the fix. Who knows how many shared hosting providers were hacked with this.

It's also worrying that it seems there's no communication between the kernel security team and distribution maintainers. One would hope that the former would notify the latter, but apparently it's the responsibility of whoever finds the vulnerability.

There are so many distributions that it is not possible to notify each one, unless there is some single distribution list for all.

And if you disclose to just a handful, why ignore the rest?

Fundamentally.

The disclosure is private. Meaning neither the commit messages nor any public info can leak too much information about the bug. It's usually kept rather discrete.

It is impractical for the kernel to broadcast to all its users privately.

Meaning that either a) distro maintainers should be privy to it, but where does this end?[1] or b) we have the current situation

[1] probably the top 5 distros security teams can just be copied into the private mail. Maybe the kernel security private list can forward the emails to them as well.

Problem is, every other type of communication between distros and kernel is implicit. In commit messages, patches and release notes. So it's an exceptional case.

BTW, with LLMs there's a new issue. It is now cheap to scan the kernel commit log maybe in _next and ask it to identify what could be a patch for a private disclosure. And then immediately RE the patch and exploit it on deployed kernels.

> It was extremely irresponsible to share the exploit with the world before the distributions shipped the fix.

I disagree. Exploits should pe published as soon as they are written and found vulnerabilities to have as much details as possible, because if the researchers cannot write an exploit, someone else could.

- this has the advantage of forcing upgrades as soon as possible. No more “we need to see and schedule patching”

- publishing it as soon as possible makes everyne aware of the threat

- it is a learning experience for everyone

- “responsible disclosure” was invented by lazy companies that have zero interest in fixing a problem quickly

> but apparently it's the responsibility of whoever finds the vulnerability

Aka a white hat professional which should be a prized function richly rewarded. Do you really want these things to be calcified into a government function?

> Note that for Linux kernel vulnerabilities, unless the reporter chooses to bring it to the linux-distros ML, there is no heads-up to distributions.

Why would they imply it is incumbent on the reporter to liaise with distributions? That seems to assume a high level of familiarity with the linux project. Vulnerability reporters shouldn’t be responsible for directly working with every downstream consumer of the linux kernel, what’s the limiting principal there? Should the reporter also be directly talking to all device manufacturers that use Linux on their machines?

IMO reporter did more than enough by responsibly disclosing it to linux and waiting for a patch to land.

Aren’t there people in the linux project itself with authority over and responsibility for security vulnerabilities? One would think they would be the ones notifying downstream distros…

`initcall_blacklist` is a thing.
Ubuntu has patches out, tested before and after patching.
Just for what it's worth, I just pushed an eBPF-based workaround for people who are running kernels in which AF_ALG is linked directly into the kernel and not as a module: https://github.com/Dabbleam/CVE-2026-31431-mitigation

I am running this in production right now and it mitigates the attack, with no unexpected side-effects as far as I can see.

huh somehow seeing people not using ai to work is like wow moment which i cherish a lot these days
`nosuid` and probably `nodev` should IMO be the default filesystem mount options. `/dev` is already a special devtmpfs and the initrd minimal /dev can just explicitly mount the initrd tmpfs rootfs with `dev` and `suid` if necessary.

Letting SUID binaries just "exist" anywhere is a stupendous security issue. What if you mount some external storage medium, how are you to verify that none of the SUID binaries on that block device are malicious.

Additionally, this exploit appears to only work if the user executing the SUID binary can also read the SUID binary. There's no reason for non-root users to have read on a SUID binary.

NixOS does this correctly. No SUID in the normal package installation directory `/nix/store` and no package leakage outside of that no `nosuid` can safety be used on all other mountpoints. The exception is just a single-purpose `/run/wrappers.$hash` directory that safety contains executable ONLY SUID wrappers.

Stop blaming the reporter. Start asking kernel to fix their process. Linux kernel is no longer a toy project, it has full time employees employed by various companies. They should have handled notifying distributions. Not some rando.
Look, if they namedrop specific distros in their announcement (marketing) blog post as affected, I think a heads-up before publishing that is appropriate and expected.

I don't think they would have gotten as much flame if it weren't for how the RHEL 14 mention and such were put.

This is a security company with a professional(?) communications department banking on pointing fingers at distro maintainers. We are not talking about solo security researchers or academics here.

Linus should take his trademark autistic rage where he calls other peoples code "dogshit" onto his own work for once. He likes the glory of leading the kernel development but not the responsibilitys like this.
Was not disclosed to stagex, and I expect a lot of linux distros. Thankfully we were already on kernel 7.0 so not impacted
I have checked all the servers (bookworm, bullseye) that I manage, and none of them have the algif_aead module loaded.

Seems not fatal to all non-patched systems.

Seems silly. How many distros need to be notified? There are hundreds.
That is true, but if at least the widely used ones would get notified before that would be beneficial. If they have a responsible security contact point.

- Debian

- Ubuntu

- Arch

- Amazon/Azure

- Fedora/RHEL

The most interesting exchange, related to disclosure, is this one:

https://www.openwall.com/lists/oss-security/2026/05/01/3

> Nope, sorry, we are NOT allowed to notify anyone about anything "ahead of time" otherwise we will have to tell everyone about everything. That's the only policy by which all the legal/governmental agencies have agreed to allow us to operate in, so we are stuck with it.

greg k-h

I believe this is the side effect of having upstream manage the CVE process.

The distros dont get any involvement until release, welcome to the suck.

Hyperbola GNU was save because they still use Python 3.8 for both political and stable reasons.
Welcome to AI first world, everything is about fail and repriced.
Interesting comment by Greg Kroah-Hartman when asked why the kernel team doesn't notify distros directly

> Nope, sorry, we are NOT allowed to notify anyone about anything "ahead of time" otherwise we will have to tell everyone about everything. That's the only policy by which all the legal/governmental agencies have agreed to allow us to operate in, so we are stuck with it.

I'd be interested in knowing more about that policy... Seems that there should be exceptions for the major distros.

Of course, major distros who have contracts with SLA could also pay for someone to be on the kernel security team and get a heads up like that..

What's really sad about Copy Fail is that it doesn't seem to work on Android. This is a purely bad situation for Linux.
A make-me-root bug sitting in the kernel since 2017 and the LTS branches still don't have a clean backport. That's a long window for anything running 6.12 or older