On dealing with security vulnerabilities in the Linux kernel

At the beginning of the year, security company Theori discovered a security hole in the Linux kernel that would later become known as “Copy Fail.” The vulnerability allowed unprivileged users to gain root privileges. Theori reported it to the kernel developers on March 23, and it was fixed in the current development branch of the kernel on April 1; a few days later, the kernel developers also ported the fixes to version branches 6.18 and 6.19. The Linux team responsible for this assigned a unique number for the vulnerability (CVE-2026-31431) and published a notice about it on April 22nd, which, among other things, referred to the fixes.

One might think that coordinated disclosure had been carried out optimally, but when Theori published Copy Fail and an example exploit in a very public manner on April 29th, many Linux distributions and their users were caught off guard: the kernels distributed by the distributions did not contain the fixes, nor did some of the “long-term” versions offered by the kernel team. Fixes for the latter were submitted on April 30th; Some distributions took significantly longer to deliver updated kernels and were busy putting together workarounds to patch up affected systems.

As a result, Theori was criticized a lot. Not without good reason (more on that later), but Copy Fail was not an extraordinary failure, the cause of which can be blamed solely on Theori. The fact that there is a general crunch in the disclosure process surrounding kernel vulnerabilities became apparent just a few days after Copy Fail, when the vulnerabilities “Dirty Frag” and “Copy Fail 2” were published. Theori was not involved in either and in these two cases the public announcement was anything but smooth.

That was the excerpt from our heise Plus article “On dealing with security gaps in the Linux kernel”. With a heise Plus subscription you can read the entire article.