May 1st, 2026 - Canonical’s web infrastructure is under a sustained, cross-border attack and we are working to address it. We will provide more information in our official channels as soon as we are able to.
I tried accessing Ubuntu's security page and did get a brief glimpse. The threat appears to require a bad player to have physical access to a machine in order to carry out this attack which should suggest home users to not have an issue. I suspect where it is a threat would be on a network, connected to a Linux Server. The article also mentions a Word Press vulnerability and WSL (the latter had a security flaw in its first iteration) which potentially affects Windows users running GNU/Linux using WSL (Windows Support (for) Linux).
I do feel Arstechnica have gone overkill on this.
A wag on Reddit posted that the company raising the vulnerability is an A.I. company always promoting its wares.
" CVE-2026-31431 , nicknamed "Copy Fail" , is a critical local privilege escalation vulnerability in the Linux kernel's algif_aead cryptographic interface. Discovered by Theori researcher Taeyang Lee and scaled by the Xint Code Research Team , this logic flaw allows any unprivileged local user to gain root access on virtually all major Linux distributions (including Ubuntu, RHEL, Amazon Linux, and SUSE) that have been shipped since 2017 .
The vulnerability stems from an optimization introduced in August 2017 (commit 72548b093ee3 ) that switched AEAD operations to in-place processing. This change inadvertently allowed the kernel to chain tag pages from the source scatterlist into the output scatterlist. When a user feeds an AF_ALG socket through the splice() syscall, these tag pages reference the page cache of the spliced file. Consequently, a four-byte write intended for cryptographic scratch space can corrupt the page cache of any readable file, including setuid binaries like /usr/bin/su .
Key details of the vulnerability include:
Exploit Simplicity : The flaw can be exploited using a 732-byte Python script (Python 3.10+, stdlib only) that requires no race conditions, kernel offsets, or distribution-specific tuning.
Reliability : Unlike previous exploits such as Dirty Pipe (CVE-2022-0847), Copy Fail is a straight-line logic error that triggers reliably across different kernel versions and distributions.
Affected Versions : The vulnerability affects Linux kernel versions 4.14 through 7.0-rc , specifically all 6.18.x versions prior to 6.18.22 and 6.19.x prior to 6.19.12 . Older LTS lines (e.g., 6.12.x, 6.6.x) are also vulnerable if they include the backported code.
Fix : The issue was resolved by reverting the in-place operation back to out-of-place processing. Fixed kernel versions include 7.0 , 6.19.12 , and 6.18.22 .
Disclosure Timeline : The vulnerability was reported to the Linux kernel security team on March 23, 2026 , with patches committed to mainline on April 1, 2026 , and public disclosure occurring on April 29, 2026 .
Mitigation : Until kernels are updated, administrators should restrict AF_ALG socket creation via seccomp profiles or deploy runtime detection rules (such as those for Falco) to flag unexpected AF_ALG socket creation by unprivileged processes.
That is what that announcement indicates. I had a similar issue some months ago with SoftMaker forum being under heavy DDoS attacks preventing me from logging in.
I don't understand the meaning of their incident reporting. The header of each incident in red states "down" and underneath "All components are operational".
It does appear to be confusing. I'm trying to dissect it. I think the header is just an alert announcement? Then when you click on header, it shows the entire timeline of the events showing the various components that seem to be down and others that are working. Their blog site is now up whereas hours before it was down.
