← На главную

Ядро Linux под ударом уязвимость Copy Fail в Podman

08.05.2026 13:22 · hackernews

Based on the text you provided, here is a comprehensive summary and analysis of the Copy Fail (CVE-2026-31431) exploit, how it interacts with Podman rootless containers, and the specific mitigation strategies discussed.

The text walks through a series of tests using a custom copyfail container image containing python3, curl, and an HTTP server. The goal is to see how different security configurations stop the exploit from escalating to full host compromise.

The text outlines four layers of defense-in-depth to limit the "blast radius" of this exploit.

  1. Rootless is not Immune: Simply running a container without root privileges does not prevent the Copy Fail exploit. The vulnerability allows an unprivileged user to become root inside the container namespace.
  2. Host Isolation is Key: Because rootless containers run as an unprivileged user on the host, even if the container process becomes root, it generally cannot read host files or execute host commands unless the user has specific host access.
  3. Defense in Depth: No single flag stops the exploit completely. However, combining no-new-privileges, cap-drop=all, and a read-only filesystem effectively neutralizes the threat by ensuring the attacker remains an unprivileged user with no capabilities and a read-only environment.
  4. Kernel Patching: The text emphasizes that these mitigations limit the damage but do not fix the underlying bug. Patching the kernel to a version that fixes the underlying page cache vulnerability is the most critical step.

Final Recommendation: For production environments, use a combination of: * A patched kernel. * --security-opt=no-new-privileges * --cap-drop=all (or specific capability dropping) * --read-only where possible. * Minimal/Distroless base images.

Читать оригинал →