โผ๏ธ๐จ BREAKING: An AI found a Linux kernel zero-day that roots every distribution since 2017. The exploit fits in 732 bytes of Python. Patch your kernel ASAP.
The vulnerability is CVE-2026-31431, nicknamed "Copy Fail," disclosed today by Theori. It has been sitting quietly in the Linux kernel for nine years.
Most Linux privilege-escalation bugs are picky. They need a precise timing window (a "race"), or specific kernel addresses leaked from somewhere, or careful tuning per distribution. Copy Fail needs none of that. It is a straight-line logic mistake that works on the first try, every time, on every mainstream Linux box.
The attacker just needs a normal user account on the machine. From there, the script asks the kernel to do some encryption work, abuses how that work is wired up, and ends up writing 4 bytes into a memory area called the "page cache" (Linux's high-speed copy of files in RAM). Those 4 bytes can be aimed at any program the system trusts, like /usr/bin/su, the shortcut to becoming root.
Result: the next time anyone runs that program, it lets the attacker in as root.
What should worry most: the corruption never touches the file on disk. It only exists in Linux's in-memory copy of that file. If you imaged the hard drive afterwards, the on-disk file would match the official package hash exactly. Reboot the machine, or just put it under memory pressure (any normal system load that needs the RAM), and the cached copy reloads fresh from disk.
Containers do not help either. The page cache is shared across the whole host, so a process inside a container can use this bug to compromise the underlying server and reach into other tenants.
The original sin was a 2017 "in-place optimization" in a kernel crypto module called algif_aead. It was meant to make encryption slightly faster. The change broke a critical safety assumption, and nobody noticed for nine years. That bug then rode every kernel update from 2017 to today.
This vulnerability affects the following:
๐ด Shared servers (dev boxes, jump hosts, build servers): any user becomes root
๐ด Kubernetes and container clusters: one compromised pod escapes to the host
๐ด CI runners (GitHub Actions, GitLab, Jenkins): a malicious pull request becomes root on the runner
๐ด Cloud platforms running user code (notebooks, agent sandboxes, serverless functions): a tenant becomes host root
Timeline:
๐ด March 23, 2026: reported to the Linux kernel security team
๐ด April 1: patch committed to mainline (commit a664bf3d603d)
๐ด April 22: CVE assigned
๐ด April 29: public disclosure
Mitigation: update your kernel to a build that includes mainline commit a664bf3d603d. If you cannot patch immediately, turn off the vulnerable module:
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
rmmod algif_aead 2>/dev/null || true
For environments that run untrusted code (containers, sandboxes, CI runners), block access to the kernel's AF_ALG crypto interface entirely, even after patching. Almost nothing legitimate needs it, and blocking it shuts the door on this whole class of bug...
๐จ Ransomware Alert: ๐ฎ๐ฉ
Directorate General of Customs and Excise (https://t.co/sylazkXPec), an Indonesian-Based Government Administration Platform, has reportedly fallen victim to the Everest ransomware group.
๐ NB: The group intends to publish it within 7-8 days.
๐ Key Details:
๐ฅ Threat Actor: Everest
๐ Reported on: 29-04-2026
๐ฆ Data Compromised: 44.86 GB
Habis ditodong sama orang pajak dengan aturan yg dibuat2 membuat gw semakin yakin untuk mulai memindahkan Toge Productions ke negara lain.
Saya sudah berusaha memajukan industri game Indonesia selama 17 tahun, tapi sepertinya harapan saya sudah pupus. Iโve tried my best.
Jumbo 4 Juta ! Dan bukan nggak mungkin bisa tembus 6 Juta!
Nggak pernah kebayang animasi indonesia bener-bener di rayakan seJUMBO ini.
Udah saatnya animasi dipandang setara sama film-film lainnya.
Jumbo layak masuk ke berbagai kategori di FFI, bukan cuma "kategori animasi".
NEW TRUTH SOCIAL FROM PRESIDENT TRUMP:
๐จ๐ณ125% TARIFF ON CHINA
๐90-DAY PAUSE & LOWERED 10% RECIPROCAL TARIFF FOR OTHER COUNTRIES
๐จEFFECTIVE IMMEDIATELY
โForgive me, mother. This is the path I choseโto help people.โ
These were the last words of Rifaat Radwan, who filmed his own murder in Rafah. He was part of a Red Crescent convoy aiding wounded civilians. The convoyโclearly marked, unarmed, with flashing lightsโwas attacked on March 23, 2025.
For five days, the UN and Red Crescent were denied access to search for the missing rescue workers. When granted entry, they found 15 rescuers buried in a mass grave. The UN and Red Cross have called it the deadliest assault on their workers since 2017.
On April 2, the IDF stated that on March 23, โseveral vehicles were identified advancing suspiciously toward IDF troops without headlights or emergency signals,โ and their movement wasnโt coordinated in advance, prompting troops to open fire on these โsuspected vehicles.โ
However, the paramedicโs video, recovered from his body and verified by The New York Times, shows the convoyโs emergency lights were on, contradicting the IDFโs claim and proving their account of the attack was a lie.