computer-science

Copy Fail 2: Electric Boogaloo

Hacker News · May 8, 2026, 4:00 AM

Key takeaways

Unprivileged Linux LPE via xfrm ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path.
Bug: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4
PAM nullok accepts the empty password silently — no input needed.

Unprivileged Linux LPE via xfrm ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path. Page-cache write into any readable file. Overwrites a nologin line in /etc/passwd with sick::0:0:...:/:/bin/bash and sus into it. Same class as Copy Fail (CVE-2026-31431), different subsystem.

Bug: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4

sudo apt install -y libssl-dev gcc gcc -O2 -Wall copyfail2.c -o copyfail2 -lcrypto gcc -O2 -Wall aa-rootns.c -o aa-rootns Run ./run.sh # install + drop into root shell ./run.sh --clean # revert /etc/passwd via the same primitive Adds passwordless uid-0 user sick to /etc/passwd, then exec su - sick. PAM nullok accepts the empty password silently — no input needed. The sick line stays in /etc/passwd — re-run drops straight back into root. State for --clean is stashed at /var/tmp/.cf2.state.

Article preview — originally published by Hacker News. Full story at the source.

Read full story on Hacker News → More top stories

Aggregated and edited by the Scoop newsroom. We surface news from Hacker News alongside other reporting so you can compare coverage in one place. Editorial policy · Corrections · About Scoop

Copy Fail 2: Electric Boogaloo

Key takeaways

More in computer-science