Open Source Security Mailing List

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

Latest Posts

Re: CVE-2026-31431: CopyFail: linux local privilege scalation Greg Dahlman (May 02)
LD_PRELOAD and capabilities are not a great option due to user
namespaces, lsm limitations, etc....

Review this qualys submission from last year for an example.
https://www.openwall.com/lists/oss-security/2025/03/27/6

You should expect any UID (even nobody) to be able to gain the
privileges in their bounding set, and because some packages like LXD
remove some of the protections from above etc...

Note the Bounding set on the install user on...

Re: CVE-2026-31431: CopyFail: linux local privilege scalation Reid Sutherland (May 02)
This is userspace software loading an administrative driver. Not even
close to the same as physically connecting a device.

Then why is it exposed to userland? Attack surface continues to
expand.

Slightly is the wrong word to use in this recent case. It is likely
what separated the secure from vulnerable in major cloud environments.

Because I'm not invested. Clearly billions are poured into this
environment and it's all hinged on...

Re: Re: Re: CVE-2026-31431: CopyFail: linux local privilege scalation Eric Biggers (May 02)
This has been covered before, but just so anyone doesn't get the wrong
impression here:

The kernel implements crypto algorithms (either as built-in code or as
modules, depending on the kconfig) so that the many kernel features that
use cryptography, such as IPsec and WireGuard that were mentioned, can
use them. This is expected; cryptography is everywhere these days.

The problem here is specifically AF_ALG, which is an additional legacy...

Re: CVE-2026-31431: CopyFail: linux local privilege scalation Richard Kettlewell (May 02)
I have that use case, although fortunately it's in a context where
splice() is disabled. But the requirement is for access to the SoC's
accelerator - the interface doesn't need to be via AF_ALG in particular,
it doesn't have to offer software crypto (and it might be better if it
didn't), and it needn't be independent of the specific hardware
(although in the bigger picture it'd be a shame if it...

Re: Re: CVE-2026-31431: CopyFail: linux local privilege scalation Justin Swartz (May 02)
It's potentially useful for autoloading driver modules when PnP
devices are connected, which could be considered deadweight if
they were loaded, or baked into the kernel itself, when the
respective devices aren't present.

To interact with cryptographic acceleration hardware, if present or
desired, and to provide support for kernel subsystems that rely on
encryption, like IPSec or WireGuard.

I'm thoroughly unqualified, so take my...

Re: CVE-2026-31431: CopyFail: linux local privilege scalation Greg Dahlman (May 02)
I am sure there is some reason I can't find what I am going to mention
implemented, so sorry if this has been discussed before.

Both socket(2) and socket(3p) both define and allow for EACESS, IMHO it
would be far more maintainable to leverage credentials(7)
vs capabilities(7) in this case, and it may offer a backwards
compatible solution.

I am not talking about requiring a device file with permissions, just a
method of setting constraints...

CVE-2026-42812: Apache Polaris: No protection on `write.metadata.path` Jean-Baptiste Onofré (May 02)
Severity: important

Affected versions:

- Apache Polaris before 1.4.1

Description:

In Apache Iceberg, the table's metadata files are control files: they tell readers
which data files belong to the table and which table version to read.

`write.metadata.path` is an optional table property that tells Polaris
where to
write those metadata files.
For a table already registered in a
Polaris-managed
catalog, changing only that property...

CVE-2026-42811: Apache Polaris: In plain terms, Polaris is supposed to issue short-lived GCS credentials that only work for one table's files, but a crafted namespace or table name can cause those credentials to work across the configured bucket instead. Jean-Baptiste Onofré (May 02)
Severity: important

Affected versions:

- Apache Polaris before 1.4.1

Description:

In plain terms, Apache Polaris is supposed to issue short-lived GCS credentials
that
only work for one table's files, but a crafted namespace or table name can
cause those credentials to work across the configured bucket instead.

Apache Polaris builds Google Cloud Storage downscoped credentials by creating a
Credential Access Boundary (CAB) with CEL...

CVE-2026-42810: Apache Polaris: Polaris accepts literal `*` characters in namespace and table names. When it later builds temporary S3 access policies for delegated table access, those same characters appear to be reused unescaped in S3 IAM resource patterns and `s3:prefix` conditions. Jean-Baptiste Onofré (May 02)
Severity: important

Affected versions:

- Apache Polaris before 1.4.1

Description:

Apache Polaris accepts literal `*` characters in namespace and table names. When it
later builds temporary S3 access policies for delegated table access, those
same characters appear to be reused unescaped in S3 IAM resource patterns
and
`s3:prefix` conditions.

In S3 IAM policy matching, `*` is treated as a wildcard rather than as
ordinary text. That means...

CVE-2026-42809: Apache Polaris: An authenticated low-privileged user can abuse Polaris staged table creation to mint broad temporary storage credentials for an attacker-chosen location before Polaris validates that location Jean-Baptiste Onofré (May 02)
Severity: important

Affected versions:

- Apache Polaris before 1.4.1

Description:

Apache Polaris can issue broad temporary ("vended") storage credentials during
staged
table creation before the effective table location has been validated or
durably reserved.
Those temporary credentials are meant to limit the scope
of
accessible table data and metadata, but this scope limitation becomes
attacker-
directed because the attacker can...

Re: uutils coreutils CVEs Jan Schaumann (May 02)
Collin Funk <collin.funk1 () gmail com> wrote:

Minor difference, and not disputing the race condition
here, but doesn't this initially yield a fifo with
mode 664, not 666 due to the umask(002) right before?

Ie., not _world_ writable (although _group_ writable),
even prior to chmod(2).

-Jan

Re: CVE-2026-31431: CopyFail: linux local privilege scalation Demi Marie Obenour (May 02)
Can AF_ALG be emulated using LD_PRELOAD? That would allow it to be
eliminated from the kernel much more quickly, as one would not need
to get rid of all of its existing users. It would even work for those
who need AF_ALG because of closed source binaries, who otherwise will
have no alternative other than running an old kernel in a VM.

Re: CVE-2026-31431: CopyFail: linux local privilege scalation Eric Biggers (May 02)
And just to make sure no one gets the wrong impression: just because
there seem to be ways in which the attack surface of AF_ALG could/should
be reduced doesn't mean that userspace should keep using it (or even
worse, start to use it). Fixing programs like iwd needs to proceed
concurrently, so that eventually (some years down the line) the problem
can finally be fully solved by removing AF_ALG from the kernel source.

- Eric

Re: CVE-2026-31431: CopyFail: linux local privilege scalation Eric Biggers (May 02)
The kernel's crypto library
(https://docs.kernel.org/crypto/libcrypto.html) does greatly simplify a
lot of kernel code that needs to use crypto algorithms. Yes, AF_ALG
doesn't use it directly yet. Currently AF_ALG puts all the data in
(zero-copy) scatterlists, then invokes the "traditional crypto API"
which is very complex and has full scatterlist support, asynchronous
execution support, an algorithm template system, etc....

Re: Re: CVE-2026-31431: CopyFail: linux local privilege scalation Reid Sutherland (May 02)
Why is userspace allowed to load modules in any capacity? Why do we
need kernel modules for math?

I'm assuming any thoroughly qualified platform engineer compiles the
host kernel without module support. At least, that needs to make a
comeback, bring back applying grsec patches and make menuconfig..

I just finished defending the kernel on LinkedIn too, in that kernel
exploit attack surface is a non-issue if you trust how it's...

More Lists

Dozens of other network security lists are archived at SecLists.Org.