oss-sec mailing list archives
Re: CVE-2026-31431: CopyFail: linux local privilege scalation
From: Simon McVittie <smcv () debian org>
Date: Sun, 3 May 2026 12:00:20 +0100
On Sat, 02 May 2026 at 14:21:57 -0600, Greg Dahlman wrote:
LD_PRELOAD and capabilities
These seem orthogonal, rather than being part of the same idea.LD_PRELOAD is discretionary (cooperative) so it would only be useful if used in a design something like this:
- at the kernel level, AF_ALG just doesn't work (fails with a permission-related error), at least for unprivileged processes - but in user-space, an opt-in LD_PRELOAD module intercepts the socket(), etc. calls for AF_ALG, and emulates the behaviour of current kernels by calling into a user-space crypto libraryIt can't be a security boundary, but it can be a mitigation for the regressions that a new security boundary (or complete feature removal) would otherwise cause, similar to the way LD_PRELOADs like aoss and padsp mitigated the regressions for older binaries when distro kernels disabled OSS audio.
Meanwhile capabilities are a way to let trusted, privileged processes have access to things that unprivileged processes do not, for example making AF_ALG available to a few system services that need it but not available to all of user-space.
You should expect any UID (even nobody) to be able to gain the privileges in their bounding set
The kernel can distinguish between "CAP_FOO in the init namespace" and "CAP_FOO in any other userns" if it wants to, and some kernel features are already gated by having a capability in the init namespace specifically. For example CAP_SYS_ADMIN in the init namespace allows mounting block-device-backed filesystems like ext4, but CAP_SYS_ADMIN in a different userns only allows a few "safe" mount operations (bind-mounts, overlayfs, FUSE).
smcv
Current thread:
- Re: CVE-2026-31431: CopyFail: linux local privilege scalation, (continued)
- Re: CVE-2026-31431: CopyFail: linux local privilege scalation Demi Marie Obenour (May 01)
- Re: CVE-2026-31431: CopyFail: linux local privilege scalation Eric Biggers (May 01)
- Re: CVE-2026-31431: CopyFail: linux local privilege scalation Demi Marie Obenour (May 01)
- Re: CVE-2026-31431: CopyFail: linux local privilege scalation Eric Biggers (May 01)
- Re: CVE-2026-31431: CopyFail: linux local privilege scalation Demi Marie Obenour (May 02)
- Re: CVE-2026-31431: CopyFail: linux local privilege scalation Eric Biggers (May 02)
- Re: CVE-2026-31431: CopyFail: linux local privilege scalation Eric Biggers (May 02)
- Re: CVE-2026-31431: CopyFail: linux local privilege scalation Demi Marie Obenour (May 02)
- Re: CVE-2026-31431: CopyFail: linux local privilege scalation Greg Dahlman (May 02)
- Re: CVE-2026-31431: CopyFail: linux local privilege scalation Greg Dahlman (May 02)
- Re: CVE-2026-31431: CopyFail: linux local privilege scalation Simon McVittie (May 03)
- Re: CVE-2026-31431: CopyFail: linux local privilege scalation Greg Dahlman (May 03)
- Re: CVE-2026-31431: CopyFail: linux local privilege scalation Milan Broz (May 04)
- Re: CVE-2026-31431: CopyFail: linux local privilege scalation Demi Marie Obenour (May 04)
- Re: CVE-2026-31431: CopyFail: linux local privilege scalation Eric Biggers (May 04)
- Re: CVE-2026-31431: CopyFail: linux local privilege scalation Milan Broz (May 04)
- Re: CVE-2026-31431: CopyFail: linux local privilege scalation Richard Kettlewell (May 02)
- Re: CVE-2026-31431: CopyFail: linux local privilege scalation Demi Marie Obenour (May 02)
- Re: CVE-2026-31431: CopyFail: linux local privilege scalation Peter Gutmann (May 03)
- Re: CVE-2026-31431: CopyFail: linux local privilege scalation Paul Ducklin (May 03)
- Re: CVE-2026-31431: CopyFail: linux local privilege scalation Richard Kettlewell (May 04)
