Copy Fail 2: Electric Boogaloo

36 points by larusso 18 hours ago | 13 comments

Mindless2112 18 hours ago |
How much pain must there be until people realize we actually do need memory safety?
delamon 17 hours ago |
How would've memory safety helped here?
Mindless2112 17 hours ago |
In CHERI, for example, pointers have permissions. The pointer to the COW memory would not have the "write" permission.
I could be misunderstanding the bug, of course.
delamon 16 hours ago |
If you "forget" to mark COW memory pointer as no-write, the net effect would be same, would it not? If I'm reading the diff correctly, the problem was that code missed to mark some pages as shared (aka no-write).
Mindless2112 16 hours ago |
A fair point...
I thought the bug was a missing check for the COW flag, but looking at it again it seems it was missing both setting and checking the flag.
delamon 15 hours ago |
Apparently it is both...
tatersolid 7 hours ago |
Because “Page-cache write into any readable file” is a memory safety bug? All of these recent Linux LPEs are memory safety issues.
nonamesleft 16 hours ago |
sysctl kernel.unprivileged_userns_clone=1 keeps on giving.
sickthecat 16 hours ago |
Yes. Giving me a massive... Well.. Dopamine rush.
cassianoleal 14 hours ago |
How is this different from Dirty Frag [0]?
It seems to use the same vector.
[0] https://github.com/V4bel/dirtyfrag
auscompgeek 9 hours ago |
From what I can gather it is the exact same vulnerability.
cpach 12 hours ago |
Does anyone know how to mitigate this one? Is it sufficient to disable the esp4/esp6/rxrpc modules?
alecco 12 hours ago |
People are blaming the wrong guy for breaking the embargo but via this blog post [1]:
> on 2026-05-05 Steffen Klassert pushed f4c50a4034 to netdev/net.git with Cc: stable@vger.kernel.org.
Once the fix is out it's usual for researchers to race to make the first exploit out of it.
[1] https://afflicted.sh/blog/posts/copy-fail-2.html