copy.fail (CVE-2026-31431): Linux 内核漏洞引发的广泛安全隐患
Linux 内核中发现了一个名为 copy.fail 的漏洞 (CVE-2026-31431),该漏洞可能允许未经授权的用户在大多数现代 Linux 发行版上获得 root 权限,且不会在磁盘上留下任何痕迹。
该漏洞利用了 AF_ALG sockets 和 splice() 函数,通过在内核页缓存中写入数据来篡改二进制文件。
即使启用了 Kubernetes 的安全策略,该漏洞也难以防御,并使得共享基础设施上的容器和虚拟机面临潜在风险。
漏洞的发现过程突显了自动化代码分析工具在发现内核漏洞方面的作用日益增强,预示着未来安全审计和攻击的成本将发生变化。
查看原文开头(英文 · 仅前 3 段)
copy.fail is a Linux kernel local privilege escalation disclosed on 29 April 2026. It works on nearly every modern distribution, leaves no on-disk trace, and slips past Kubernetes' default seccomp. Why it matters and what to do.
The new domain at copy.fail looks like a slick browser exploit demo. It is not. The site is the public disclosure page for CVE-2026-31431, a Linux kernel local privilege escalation that landed on 29 April 2026 and that you should care about even if you do not personally run a Linux server. The name is a pun on the underlying defect: the kernel's in-place AEAD copy fails to protect page-cache integrity. The consequence is that any unprivileged local user on a vulnerable kernel can become root on most Linux distributions shipped since 2017, leaving no trace on disk for file-integrity tooling to find.
I want to walk through why this matters for hosting, Kubernetes, CI/CD and ordinary developer laptops, and what makes copy.fail different from the long line of similar bugs that came before it.
※ 出于版权考虑,仅引用前 3 段。完整内容请阅读原文。