[PLUG] exploit in the wild

Ted Mittelstaedt tedm at portlandia-it.com
Fri May 1 00:11:57 UTC 2026 

I can confirm that the latest apt-get update to Ubuntu 24.04 as of a few minutes ago is disabling the aead module.

For an un-updated system, running python3 copy_fail_exp.py gets you a root shell.   For an updated system it gets an error.  For Ubuntu 26.04 it merely asks for the root password.

Ted

-----Original Message-----
From: PLUG <plug-bounces at lists.pdxlinux.org> On Behalf Of Russell Senior
Sent: Thursday, April 30, 2026 5:10 PM
To: Portland Linux/Unix Group <plug at lists.pdxlinux.org>
Subject: Re: [PLUG] exploit in the wild

I am just going to alias sudo to the exploit script.

On Thu, Apr 30, 2026 at 4:39 PM Ted Mittelstaedt <tedm at portlandia-it.com>
wrote:

> Ubuntu's servers are now offline with a 503 Service Unavailable - 
> probably as a result of
>
> https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available
>
> Maybe they will come back by the time you read this but as of 4:38PM 
> PST they are offline.
>
> Fortunately the Internet Archive crawled the page, it's here:
>
>
> https://web.archive.org/web/20260430191621/https://ubuntu.com/blog/cop
> y-fail-vulnerability-fixes-available
>
> TLDR:  No recompiled kernel available at this time, they are "fixing" 
> it by the same fix - disabling the kernel module - that's already been 
> discussed.
>
> Ted
>
> -----Original Message-----
> From: PLUG <plug-bounces at lists.pdxlinux.org> On Behalf Of Ted 
> Mittelstaedt
> Sent: Thursday, April 30, 2026 4:02 PM
> To: 'Portland Linux/Unix Group' <plug at lists.pdxlinux.org>
> Subject: Re: [PLUG] exploit in the wild
>
> I don't believe in luck.  If it wasn't advanced, they waited to inform 
> the main kernel devs until they were close enough to the Ubuntu 26 
> release yet far enough out that they could just slip in the patch and it would be
> included in 26   It's just way to "coincidental" and "lucky" that it
> happened that way since Ubuntu is the largest distro.
>
> The second this patch was slipped into the kernel the approving 
> developer would have immediately recognized the significance and known 
> there would be a complete shit show once it was announced.  I assume 
> that was Linus himself and you better believe he would have informed a 
> few people at Canonical and RedHat and a few other places via his 
> little secret back channels.  Canonical had a month to release a 
> kernel patch for 24.04 and
> 22.04 but they obviously waited so as to not tip off anyone.  Why they 
> haven't immediately released kernel updates for those distros is 
> because they are not above using Zero days to push people into 
> upgrading.  I'm also betting an update will quietly appear for Pro 
> before it appears for the community stuff.
>
> These "security researchers" absolutely monetize these things.  The 
> particular one who found this will get his invite to the next White 
> Hat conference and will go and make is presentation then someone, like 
> Oracle or RedHat or someone like that will slap down a $500k yearly 
> employment contract in front of him, if that already hasn't happened.
>
> If he had waited a few weeks then it would have been too late for 
> Ubuntu to ship and it would have been egg on Canonical's face and they 
> would have been pissed - and he would certainly not have gotten any employment
> contract from them.   You don't deliberately make enemies of the largest
> Linux distro unless you are really stupid.
>
> The business of breaking into computers is a dirty business.  You and 
> I both do this but I like to think that we are the whitest of the 
> white knights since we are merely taking control of our own stuff away 
> from networking companies who have no business with their fingers in 
> our routers.  And we don't do this to stuff we don't own nor is anything we
> publish usable for malcontents to do this to other people.   But we can
> still smell the stink of it even a removed as we are.
>
> There's going to be a lot of people hurt by this one.  And claiming 
> that they deserved it because they weren’t updating is victim-blaming 
> no better than blaming the woman who got raped for wearing a short skirt.
>
> Spin it how you like but this entire thing stinks.  And incidentally 
> the Canonical servers right now are melting down as I'm observing by 
> running apt-update...very very slow right now.
>
> Ted
>
> -----Original Message-----
> From: PLUG <plug-bounces at lists.pdxlinux.org> On Behalf Of Russell 
> Senior
> Sent: Thursday, April 30, 2026 7:13 AM
> To: plug at lists.pdxlinux.org
> Subject: Re: [PLUG] exploit in the wild
>
>
>
> On 4/30/26 06:42, Ted Mittelstaedt wrote:
> > Note that Ubuntu 26.04 was released on the 23rd of April, and its 
> > NOT vulnerable.  I suspect that there is a connection here and that 
> > the
> 26.04 release date was Advanced.
>
> I don't think the Ubuntu 26.04 release schedule was advanced. The 
> release date is consistent with past releases, see here:
>
> https://documentation.ubuntu.com/project/release-team/list-of-releases
> /
>
> The reason it isn't vulnerable is that the fix got into v7.0 and (I'm 
> not sure of the Ubuntu policy, but guessing) because v7.0 was released 
> before Ubuntu 26.04 was released, they went with it.
>
> The thing that kind of surprises me is that the major distributions 
> didn't have the fix in by the disclosure day. ArchLinux was also not 
> vulnerable, if you update reasonably regularly because they stay 
> pretty close to upstream stable kernels and so had the fix as a matter 
> of course. Debian and Ubuntu (and Fedora?) seem to have been caught a bit flat footed.
>
> The thing I haven't seen reported yet is: "are non-x86/ architectures 
> also affected?" You would guess so, since this was apparently a 
> logical error, but the published python script exploit doesn't work on 
> them to test, and I haven't seen anyone say. An exploit tuned for ARM, might.
>
> --
> Russell Senior
> russell at pdxlinux.org
>
>
>

More information about the PLUG mailing list