{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreid26zauhxgnvcxtdx4eexh5birk22chssxhslbpgzb3l5bn4xq6ee",
    "uri": "at://did:plc:kyxdufbi5qaljy7bxivztuhy/app.bsky.feed.post/3mlpdqruidgc2"
  },
  "path": "/blog/archives/2026/05/copy-fail-linux-vulnerability.html",
  "publishedAt": "2026-05-12T11:06:12.000Z",
  "site": "https://www.schneier.com",
  "tags": [
    "Uncategorized",
    "Linux",
    "patching",
    "vulnerabilities",
    "worst"
  ],
  "textContent": "This is the worst Linux vulnerability in years.\n\n> **TL;DR**\n>\n>   * copy.fail is a Linux kernel local privilege escalation, not a browser or clipboard attack. Disclosed by Theori on 29 April 2026 with a working PoC.\n>   * It abuses the kernel crypto API (AF_ALG sockets) plus splice() to write four bytes at a time straight into the page cache of a file the attacker does not own.\n>   * The exploit works unmodified across Ubuntu, RHEL, Debian, SUSE, Amazon Linux, Fedora and most others. No race condition, no per-distro offsets.\n>   * The file on disk is never modified. AIDE, Tripwire and checksum-based monitoring see nothing. ...\n>\n",
  "title": "Copy.Fail Linux Vulnerability"
}