Brian Pak

Funny enough, Xint *did* find it as well. It was just buried in many other bugs that we didn't get to triage / report manually yet. Interesting part is that it's auto-triaged not as important as Copy Fail bug because it needed user namespace (which requires root in Ubuntu), and didn't reason about chaining RxRPC. Definitely needs some work on our auto-triager + exploit technique skillz.

We’re grateful to the kernel security team and everyone working hard on patches. Looking ahead, we’re sure Xint and our researchers will uncover many more critical vulnerabilities. We’ll try our best next time to create less chaos for folks. Happy to discuss improvements openly. Thanks for reading. Let’s keep making Linux stronger together. 🙏

Hey everyone. We’ve seen the discussions around Copy Fail (CVE-2026-31431) and the disclosure process. We appreciate the passion from distro maintainers, defenders, and the broader Linux community. This is a serious issue, and we want to share some context on our side in good faith. 🧵

Some have also raised concerns about us releasing the exploit publicly. We have experience writing N-day exploits and know that monitoring git commits for fixes is common practice in offensive security. Attackers were likely already aware and exploiting this within the a few days after the kernel fix landed. With AI coding tools today, turning a CVE plus commit into a working exploit happens in hours anyway.

interestingly, not fuzzing. xint code reviews the code, reasons about potential vulnerabilities, and validates the theory, all in static analysis fashion. it is possible to hook up with the dynamic testing to be even more certain about the validation; but it already does pretty good job of weeding out false positives.

and yes, RHEL 14.3 doesn't exist 😅 We meant to say RHEL 10.1. Sorry for the confusion! And also yes, the static webpage https://t.co/RgEXCiqzE5 -- even the logo -- is vibe-coded. Too busy triaging shit ton of other bugs to build a legit website ground up.. and i think it's a perfect use case of vibecoding tbh 😆