CopyFail: From Pod to Host
Copy Fail is a new Linux vulnerability that allows attackers to escape containers and gain root access. It exploits a kernel memory corruption flaw without injecting code, making it particularly dangerous. The vulnerability enables controlled writes to the Linux page cache, allowing for the manipulation of files and potential backdoor access to co-located pods.
- ▪Copy Fail is identified as CVE-2026-31431 and is a local-privilege escalation vulnerability.
- ▪The exploit allows attackers to rewrite cached contents of files on a Linux filesystem, including setuid binaries like 'su'.
- ▪There are two main attack scenarios: cross-container poisoning and container escape, both leveraging the shared page cache across containers.
Opening excerpt (first ~120 words) tap to expand
Vulnerability ResearchAI for SecurityOpen Source ProjectsCopy Fail: From Pod to Host.A walkthrough of Copy Fail (CVE-2026-31431) as a container escape primitive: from a 4-byte page cache write to host root on Kubernetes.Juno ImMay 19, 2026ContentsWhy the Page Cache Crosses Container BoundariesScenario 1: Cross-Container Poisoning1-1: Compromised pod sharing a base layer1-2: Pod creation rightsScenario 2: Container EscapeDetection and MitigationCommunity PoCsTwo weeks ago, we disclosed Copy Fail, a new and exceptionally dangerous Linux local-privilege escalation vulnerability. Copy Fail exploits a kernel memory corruption flaw without injecting code into a running kernel, which makes it small and unusually portable.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Hacker News (Newest).
Discussion
0 commentsMore from Hacker News (Newest)
