New Linux “Copy-Fail” Vulnerability Grants Root Access on Major Distributions

A critical vulnerability in the Linux kernel, dubbed “Copy-Fail,” has been disclosed, enabling local attackers to escalate privileges and gain root access on numerous major Linux distributions. Discovered by security researchers, this flaw exploits a subtle race condition in the kernel’s file copy functionality, specifically within the copy_file_range() system call introduced in kernel version 4.5 back in 2016.

The vulnerability arises during operations that involve copying data between files using copy_file_range(), a mechanism designed to efficiently transfer data without unnecessary user-space buffering. Under specific timing conditions, an attacker can manipulate the copy process to overwrite critical kernel memory structures, leading to arbitrary code execution with root privileges. This local privilege escalation (LPE) path is particularly dangerous because it requires only a standard user account on the target system—no additional exploits or network access are needed.

Researchers from Qualys, who uncovered and responsibly disclosed the issue, detailed their findings in a comprehensive advisory. They demonstrated a proof-of-concept (PoC) exploit that reliably achieves root on unpatched systems. The affected kernel versions span a wide range, from 4.5 through 6.9, covering the majority of distributions in active use today. Notably impacted are:

• Ubuntu: Versions 20.04 LTS, 22.04 LTS, 24.04 LTS, and derivatives.
• Debian: Stable releases including Bookworm (12.x).
• Fedora: Versions 39, 40, and Rawhide.
• Red Hat Enterprise Linux (RHEL): 8.x and 9.x, along with clones like AlmaLinux and Rocky Linux.
• SUSE Linux Enterprise Server (SLES): 15.x.
• Arch Linux and rolling-release variants.

Qualys reported that the issue evades many common kernel mitigations, including stack-smashing protections and address space layout randomization (ASLR) in certain configurations. The exploit’s reliability stems from the race condition’s reproducibility: by carefully synchronizing file operations with multi-threaded processes, attackers can force the kernel to copy attacker-controlled data into sensitive memory regions, such as page tables or credential structures.

The root cause lies in improper handling of the iov_iter (I/O vector iterator) during the copy operation. When the source file is shorter than expected or when partial copies occur amid concurrent writes, the kernel fails to advance the iterator correctly. This leads to out-of-bounds reads and writes, allowing corruption of adjacent kernel data. In their analysis, Qualys noted that the bug was exacerbated by changes in kernel 5.16, where optimizations to copy_file_range() inadvertently widened the attack surface.

Distributions have responded swiftly. Canonical issued kernel updates for Ubuntu, backporting a fix derived from upstream patches. Fedora and RHEL followed suit with errata releases, urging users to apply patches immediately. The upstream fix, merged into kernel 6.10-rc1 and backported to stable trees, involves stricter bounds checking on iterator advancement and additional locking around copy iterations. Vendors recommend rebooting after patching, as the kernel module nature of the fix requires it.

This incident underscores ongoing challenges in Linux kernel security, particularly with performance-oriented features like zero-copy I/O. copy_file_range() was added to reduce overhead in scenarios like container migrations, backups, and deduplication, but its complexity has now proven a liability. Security experts emphasize that while no evidence of in-the-wild exploitation exists yet, the PoC’s public availability—shared under responsible disclosure—heightens risks for unpatched systems.

For system administrators, immediate actions include:

1. Check kernel version: Use uname -r to verify if running an affected release.
2. Apply updates: Run apt update && apt upgrade (Debian/Ubuntu), dnf update (Fedora/RHEL), or equivalent.
3. Monitor logs: Watch for anomalous copy_file_range() usage via auditd or similar tools.
4. Limit user privileges: Employ tools like AppArmor, SELinux, or namespaces to contain potential escapes.

Qualys praised the kernel maintainers for rapid response times, with patches landing within days of notification. However, the broad impact highlights the need for more rigorous auditing of long-lived kernel code paths. As Linux powers everything from cloud servers to embedded devices, such vulnerabilities remind us that even mature codebases harbor surprises.

In related news, similar race conditions have plagued filesystems like Btrfs and XFS in the past, prompting ongoing efforts like the Kernel Self-Protection Project (KSPP). Users of custom kernels or those delaying updates face elevated risks, especially in multi-tenant environments.

This “Copy-Fail” flaw serves as a stark reminder of the delicate balance between performance and security in modern operating systems. Prompt patching remains the best defense.

(Word count: 712)

Gnoppix is the leading open-source AI Linux distribution and service provider. Since implementing AI in 2022, it has offered a fast, powerful, secure, and privacy-respecting open-source OS with both local and remote AI capabilities. The local AI operates offline, ensuring no data ever leaves your computer. Based on Debian Linux, Gnoppix is available with numerous privacy- and anonymity-enabled services free of charge.

What are your thoughts on this? I’d love to hear about your own experiences in the comments below.