John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Check your Linux servers. There’s a high-severity privilege escalation bug dubbed “Copy Fail” that lets any unprivileged user walk right into root access. It’s only 732 bytes of code, but it works on almost everything: Ubuntu, RHEL, Debian, and Fedora.
Here’s the twist: your server hardening probably doesn’t care. Most security layers guard against memory corruption or overflow. But this is a logic flaw sitting deep in the kernel’s crypto subsystem. The kernel is doing exactly what the code tells it to do; the code just happens to be wrong.
Even worse, it targets the “page cache.” When you run a command, the kernel doesn’t always read it off the disk; it uses a copy in memory. This exploit swaps out your su or sudo binary in memory without ever touching the file on the disk. That means your file integrity checkers, like AIDE or Tripwire, will tell you the system is clean while the attacker is already using root.
If you haven’t applied commit a664bf3d603d and rebooted your boxes tonight, you’re vulnerable. Don’t trust “Livepatch” coverage either; verify it. This is a fundamental processing error that requires a clean start.
Read the technical deep-dive into how Copy Fail bypasses the kernel’s memory protections.