Sandfly Blog“Copy Fail,” is a privilege escalation vulnerability in the Linux kernel disclosed on Ap 2026-5-6 04:49:51 Author: sandflysecurity.com(查看原文) 阅读量:5 收藏
Sandfly Blog
“Copy Fail,” is a privilege escalation vulnerability in the Linux kernel disclosed on April 29, 2026. This vulnerability affects nearly all Linux distributions since 2017. It allows any user to easily and reliably gain root privileges on Linux. For more information on the vulnerability, see:
Sandfly analyzed this exploit and have created a detection module for identifying these “mysteriously elevated” processes on Linux. Customers can access the detection rule here:
Customers can add the new sandfly detection using the following steps:
We will include this rule in our next general update.
How Copy Fail Detection Works
If a parent process is not running as (or started by) root, and a child process is running as root, there should be a chain of evidence of what privileged process did the escalation. For instance, if you run a command using the sudo on Linux, the process tree will show the command, and the parent sudo with SUID or CAP_SETUID privilege that did it.
The Copy Fail exploit however goes from a simple unprivileged process and launches a child with root privileges without any intermediary SUID or CAP_SETUID process that should have assisted. This is extremely suspicious on Linux and indicates a likely privilege escalation exploit has occurred.
Processes elevated to root by the Copy Fail vulnerability fall into this category, and we suspect this detection technique can also identify processes elevated from unprivileged users by malicious kernel modules and not-yet-found or future vulnerabilities. This detection rule falls into our philosophy or looking for attack tactics and has wider potential use than just Copy Fail.
Find Copy Fail Today
We welcome Sandfly Professional and Air Gapped users to scan their networks with this sandfly and report their experiences (false positives, detections of legitimate uses of the vulnerability, etc.).
If you don’t have Sandfly, a 14-day trial of Sandfly Professional is available below:
如有侵权请联系:admin#unsafe.sh