[PLUG] exploit in the wild

Fri May 1 17:12:32 UTC 2026

Yeah, wallposting can muddy the waters.

The original link seemed sketchy so I just skimmed through the details without actually running it. Looks like Russell beat the internet to this one because in the past couple days it's been popping up on a lot of blogs/forums.

If anyone wants a real link as opposed to the sales pitch from the company that found it, here's a few:

https://nvd.nist.gov/vuln/detail/CVE-2026-31431
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a664bf3d603d

Note that the NIST page references the copy.fail website people have been referring to.
-Ben

On Friday, May 1st, 2026 at 9:47 AM, George <konaprog at gmail.com> wrote:

> I can't tell what you guys are talking about. I assume you're talking about
> a virus or an exploit.
> It seems that whatever you're talking about is explained in a rando web
> link in the original interest group email. Just how many of you guys click
> links in your emails when you're researching security? (I'm kidding, after
> about four emails, i just looked it up from an independent source. Still
> not sure if i use algif_aead but I'm the only user on my network, er,...
> that i know of....)
> 
> 
> On Fri, May 1, 2026, 8:12 AM Ted Mittelstaedt <tedm at portlandia-it.com>
> wrote:
> 
> > That may work for now however according to:
> >
> > https://xint.io/blog/copy-fail-linux-distributions
> >
> > "...The scan also identified other high severity vulnerabilities,
> > including another privilege escalation bug. These other bugs are still in
> > the responsible disclosure process."
> >
> > And we know now that from xinit's POV responsible disclosure means insert
> > a patch then wait 30 days and publish a zero day.
> >
> > So this isn't going to be the only one of these rodeos.  It's just the
> > first.
> >
> > Ted
> >
> > -----Original Message-----
> > From: PLUG <plug-bounces at lists.pdxlinux.org> On Behalf Of King Beowulf
> > Sent: Friday, May 1, 2026 7:46 AM
> > To: plug at lists.pdxlinux.org
> > Subject: Re: [PLUG] exploit in the wild
> >
> > On 4/30/26 17:11, Ted Mittelstaedt wrote:
> > > I can confirm that the latest apt-get update to Ubuntu 24.04 as of a few
> > minutes ago is disabling the aead module.
> > >
> > > For an un-updated system, running python3 copy_fail_exp.py gets you a
> > root shell.   For an updated system it gets an error.  For Ubuntu 26.04 it
> > merely asks for the root password.
> > >
> > > Ted
> > >
> > >
> >
> > or run
> >
> > find / * -perm -4004 -type f -exec ls -ld {} \; > setuid.txt
> >
> > and remove 'r' flag from user, user group, and other group.
> >
> > On Slackware, most setuid root utilities are not user readable.
> >
> > # ls -l /usr/bin/sudo
> > -rws--x--x 1 root root 289800 Jul 26  2025 /usr/bin/sudo* # ls -l /bin/su
> > -rws--x--x 1 root root 59552 Feb 13  2021 /bin/su*
> >
> > There are a few that are unfortunately.
> >
> > This will mitigate the exploit until patched.
> >
> > -Ed
> >
> >
> >
> >
> 