Open Source Security Mailing List

• Current Quarter
• RSS Feed
• About List
• All Lists

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

• Jan–Mar
• Apr–Jun
• Jul–Sep
• Oct–Dec
• 2026
• 431
• 359
• –
• –
• 2025
• 262
• 289
• 251
• 361
• 2024
• 358
• 314
• 293
• 183
• 2023
• 220
• 284
• 269
• 356
• 2022
• 212
• 220
• 239
• 273
• 2021
• 281
• 236
• 193
• 182
• 2020
• 131
• 219
• 211
• 241
• 2019
• 199
• 237
• 257
• 176
• 2018
• 287
• 256
• 284
• 279
• 2017
• 701
• 658
• 596
• 437
• 2016
• 738
• 637
• 689
• 788
• 2015
• 1068
• 839
• 658
• 618
• 2014
• 714
• 711
• 886
• 1185
• 2013
• 777
• 648
• 688
• 583
• 2012
• 815
• 578
• 591
• 549
• 2011
• 640
• 738
• 550
• 591
• 2010
• 291
• 376
• 465
• 383
• 2009
• 250
• 264
• 272
• 304
• 2008
• 206
• 390
• 402
• 358

Latest Posts

Re: CVE-2026-31431: CopyFail: linux local privilege scalation nightmare . yeah27 (May 02)
VPSs provided by Linode/Akamai have the "option" (see below) to boot
their kernel, so that no kernel package needs even to be installed in
the image. That kernel is monolithic, and as far as I can see there
isn't a way to pass kernel options, either. As of today, the kernel
build options relevant to this bug seem to be still enabled, and
Akamai has this to say about it:

https://status.linode.com/incidents/msqh44ktjp9g

In the...

syzkaller "Reporting Linux kernel bugs" out of date Solar Designer (May 02)
Hi,

It came up in a discussion(*) on linux-distros that these guidelines:

https://github.com/google/syzkaller/blob/master/docs/linux/reporting_kernel_bugs.md

are years out of date. They assume the good times when the Linux
kernel security team and linux-distros cooperated, and when MITRE and
distros could assign CVEs to kernel issues (so before Linux CNA).

I see this file isn't unmaintained - there are not-too-old commits
updating other...

CVE-2026-40561: Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence Timothy Legge (May 02)
========================================================================
CVE-2026-40561 CPAN Security Group
========================================================================

CVE ID: CVE-2026-40561
Distribution: Starlet
Versions: through 0.31

MetaCPAN: https://metacpan.org/dist/Starlet
VCS Repo: https://github.com/kazuho/Starlet

Starlet versions through 0.31 for...

Re: Re: Re: CVE-2026-31431: CopyFail: linux local privilege scalation Malik, Vaibhav (May 02)
Hi,

One flow link or example:

1. Userspace creates AF_ALG socket
A program opens:
socket(AF_ALG, SOCK_SEQPACKET, 0)
Then binds to a crypto algorithm:
"aead" type
algorithm like "gcm(aes)" or "authenc(hmac(sha256),cbc(aes))"

2. Kernel resolves algorithm
Kernel does:
Select crypto template (authenc, gcm, etc.)
Instantiate transformation object in crypto subsystem
Load module if needed and it seems this is where...

Re: Re: Re: CVE-2026-31431: CopyFail: linux local privilege scalation Collin Funk (May 02)
Alexander Bochmann <ab () lists gxis de> writes:

You can build GNU coreutils with './configure --with-linux-crypto' if
you want. It is disabled by default since OpenSSL was faster when it was
tested (and I assume that is still the case). AFAIK, no distributions
use it though.

Collin

Re: CVE-2026-31431: CopyFail: linux local privilege scalation Demi Marie Obenour (May 02)
Can you provide benchmarks showing that the accelerator is faster
than the CPU on realistic workloads?

Re: uutils coreutils CVEs Collin Funk (May 02)
Jan wrote:

Yes, I should have probably adjusted my example:

$ mkfifo --version
mkfifo (uutils coreutils) 0.8.0
$ (umask 0; strace mkfifo -m 700 /tmp/fifo)
[...]
umask(000) = 000
umask(000) = 000
mknodat(AT_FDCWD, "/tmp/fifo", S_IFIFO|0666) = 0
chmod("/tmp/fifo", 0700)

Thanks,
Collin

Re: Re: Re: CVE-2026-31431: CopyFail: linux local privilege scalation Alexander Bochmann (May 02)
...on 2026-05-02 20:05:00, Eric Biggers wrote:

> What it does break are a small set of userspace programs that made the
> shortsighted decision to use AF_ALG, instead of simply following the
> standard practice of using a userspace crypto library.

For some added fun - I noticed that Debian 13, for example,
ships an openssl build with an AF_ALG engine, so uh, yeah,
depending on how you use your userspace crypto library...

No idea...

Re: Re: CVE-2026-31431: CopyFail: linux local privilege scalation Brian May (May 02)
Reid Sutherland <reid () thirddimension net> writes:

Kernel modules here are good, not bad. If everything was compiled into
the kernel it would be harder to solve this sort of security issue.

In this case, it often just meant disabling the module that often wasn't
even loaded. The only exception was if I tested the vulnerabilty before
hand :-). Even then, easy to unload the module and disable it.

But I heard some enterprise kernels...

Re: CVE-2026-31431: CopyFail: linux local privilege scalation Greg Dahlman (May 02)
LD_PRELOAD and capabilities are not a great option due to user
namespaces, lsm limitations, etc....

Review this qualys submission from last year for an example.
https://www.openwall.com/lists/oss-security/2025/03/27/6

You should expect any UID (even nobody) to be able to gain the
privileges in their bounding set, and because some packages like LXD
remove some of the protections from above etc...

Note the Bounding set on the install user on...

Re: CVE-2026-31431: CopyFail: linux local privilege scalation Reid Sutherland (May 02)
This is userspace software loading an administrative driver. Not even
close to the same as physically connecting a device.

Then why is it exposed to userland? Attack surface continues to
expand.

Slightly is the wrong word to use in this recent case. It is likely
what separated the secure from vulnerable in major cloud environments.

Because I'm not invested. Clearly billions are poured into this
environment and it's all hinged on...

Re: Re: Re: CVE-2026-31431: CopyFail: linux local privilege scalation Eric Biggers (May 02)
This has been covered before, but just so anyone doesn't get the wrong
impression here:

The kernel implements crypto algorithms (either as built-in code or as
modules, depending on the kconfig) so that the many kernel features that
use cryptography, such as IPsec and WireGuard that were mentioned, can
use them. This is expected; cryptography is everywhere these days.

The problem here is specifically AF_ALG, which is an additional legacy...

Re: CVE-2026-31431: CopyFail: linux local privilege scalation Richard Kettlewell (May 02)
I have that use case, although fortunately it's in a context where
splice() is disabled. But the requirement is for access to the SoC's
accelerator - the interface doesn't need to be via AF_ALG in particular,
it doesn't have to offer software crypto (and it might be better if it
didn't), and it needn't be independent of the specific hardware
(although in the bigger picture it'd be a shame if it...

Re: Re: CVE-2026-31431: CopyFail: linux local privilege scalation Justin Swartz (May 02)
It's potentially useful for autoloading driver modules when PnP
devices are connected, which could be considered deadweight if
they were loaded, or baked into the kernel itself, when the
respective devices aren't present.

To interact with cryptographic acceleration hardware, if present or
desired, and to provide support for kernel subsystems that rely on
encryption, like IPSec or WireGuard.

I'm thoroughly unqualified, so take my...

Re: CVE-2026-31431: CopyFail: linux local privilege scalation Greg Dahlman (May 02)
I am sure there is some reason I can't find what I am going to mention
implemented, so sorry if this has been discussed before.

Both socket(2) and socket(3p) both define and allow for EACESS, IMHO it
would be far more maintainable to leverage credentials(7)
vs capabilities(7) in this case, and it may offer a backwards
compatible solution.

I am not talking about requiring a device file with permissions, just a
method of setting constraints...

More Lists

Dozens of other network security lists are archived at SecLists.Org.