A 2nd Vulnerability Has Hit the Linux

Added: 2026-05-12

[00:00:00]A second vulnerability has hit the world of Linux.

[00:00:04]Hot on the heels of the copyfail exploit that was revealed and patched a few days ago, several other exploits have been revealed that can allow a malicious script to escalate the privileges from a normal user account to a root user.

[00:00:21]Now, I didn't make a video on copyfail because frankly I was busy and I just didn't really have the time to get to it. So, if you're looking for a quick summary, this probably isn't the right video, but suffice it to say it's kind of a similar class of vulnerability where it allows this really short Python script, 732 bytes, to deterministically get root access on just about any Linux distro that hasn't been patched yet. And by just about any, in particular, that means any distro built between 2017 and the patch being applied.

[00:00:56]And when was the patch applied? Well, if you scroll all the way down here, this was reported to the Linux kernel security team at the end of March, was acknowledged, patches were submitted, and at the end of April it was publicly disclosed. April 29th, public disclosure.

[00:01:15]So, that was copyfail. What are these new ones? Well, there are two, actually.

[00:01:20]The first is copyfail two: Electric Boogaloo.

[00:01:23]I'm not going to go into the details of exactly what these exploits do, but they are pretty similar in nature to copyfail, where all of these essentially allow a malicious program to write data somewhere that it's not supposed to, which then allows it to do things as root.

[00:01:43]And the second one is Dirty COW Frag.

[00:01:46]So, let's take a look at both of these.

[00:01:48]If you want the technical details of these, I'm going to leave the links to these posts in the description, and I'm not going to read them because frankly I'm not a screen reader and I don't really have anything of my own that's meaningful that I can add to it. If you want to read it, go read it yourself.

[00:02:03]So, the Dirty COW disclosure has this timeline associated with it.

[00:02:08]On April 30th, which is, notice, a day after copy.fail was publicly announced, uh the person who found it submitted detailed information about the vulnerability and a weaponized exploit that achieved root privileges on several major distributions to [email protected], and the same day submitted a patch for the vulnerability to the netdev mailing list. Information about this issue was published publicly.

[00:02:33]So, note that means that on the very same day that the kernel team found out about it, the public found out about it as well.

[00:02:40]9 hours later, someone submitted a vulnerability report with a reproducer to the security mailing list, and it took 5 days for a patch to be submitted to the netdev mailing list. And to be clear that this is an issue in the network subsystem, which is why the netdev mailing list is relevant here.

[00:03:00]The patch was merged 3 days later.

[00:03:03]The person who found it submitted detailed information about the vulnerability and the exploit to the Linux distros mailing list. The embargo was set to 5 days with an agreement that if a third party publishes the exploit on the internet during the embargo period, the Dirty COW exploit would be published publicly.

[00:03:19]Unfortunately, detailed information and the exploit for this vulnerability were published publicly by some unrelated third party breaking the embargo on the very same day.

[00:03:31]And so, of course, after that, the full document was disclosed that explains exactly what's going on.

[00:03:39]At that point, note, the patch wasn't even merged yet. It took until the next day for the patch to be merged into the mainline and for a CVE to be assigned to this.

[00:03:48]And the next one is also a very similar thing. Again, if you wanted to read the details about it, the links are going to be in the description.

[00:03:56]But, the disclosure timeline here is actually even more interesting. So, again, it was found at the same time, just a day after copy fail.

[00:04:05]However, detailed information about it was only submitted to the Linux distros mailing list on May 7th, which as of recording of this video was yesterday.

[00:04:17]And again, the embargo was set to 5 days with the same agreement, and someone immediately broke the embargo and published things publicly.

[00:04:25]And so, the person who reported it, uh as they agreed to uh in their disclosure, published the full information since well, the exploit is publicly available, so might as well make information on what the issue is publicly available as well.

[00:04:41]And today, on May 8th, a CVE was reserved for tracking this vulnerability.

[00:04:48]And notice what's missing here. There is no timeline for the patch being merged into the mainline because it hasn't been merged into the mainline yet.

[00:04:56]At least as of me recording these uh video, uh which to be fair is happening pretty late in the day.

[00:05:03]So, this one is still not patched. If you are running a current Linux kernel that is up-to-date, it is vulnerable to this issue.

[00:05:13]So, how much should you actually worry about this? Well, for most desktop users, not much. This is a privilege escalation issue, so the vulnerability is that a normal user can obtain root access when they shouldn't be able to.

[00:05:27]However, most desktop users are running in kind of a single user mode anyway, where the single user on the machine is really trusted. So, there's not much point in having a in exploiting a vulnerability like this because the primary user might as well be root anyway. That's where all the juicy information is that anyone might want to steal. However, if you're running a multi-tenant system or if you're a cloud host, I'd be very worried about this.

[00:05:55]I'd definitely look into how to mitigate these issues, which are linked uh either in this post uh or uh on this other page as well. But, to be honest, you probably shouldn't be watching this YouTube video to figure this out if you're a big cloud hosting provider.

[00:06:13]So, let me just update my system live and see if any patches have been actually applied yet.

[00:06:22]And while that's running, I'd like to say that for most users that just use their Linux machine as a personal computer for themselves and they're not doing any kind of hosting, and you know, if it's at home, your machine is likely behind a router, and so it's not really exposed to the internet.

[00:06:44]This vulnerability is interesting, and you certainly should update your system, but it's not something you really should be afraid of at this time. It's not something critical like a remote code execution vulnerability, for example, in your browser.

[00:06:58]That would actually be dangerous because all it would take for someone to exploit you is to visit a malicious site. Whereas here, well, they need to have access to the user account on your machine anyway, which means that they have pretty much all the information they want already from you. And so, at that point, getting root doesn't really mean much. And that's it. Quick video for today. Thanks for watching. See you in 2027.