Two weeks after revealing a new Linux local‑privilege escalation, researchers detailed Copy Fail, a memory‑corruption bug that lets an unprivileged process write four bytes into any file’s page‑cache backing. The exploit avoids injecting code into the kernel, making it tiny and portable across distributions. A proof‑of‑concept rewrites the setuid‑root su binary, granting an immediate root shell.

Under the hood, Copy Fail abuses the kernel’s AF_ALG interface for IPSec ESP sequence numbers. By feeding a zero‑length splice from a pipe, the cryptography code treats a mutable page‑cache reference as disposable memory, then writes the crafted 4‑byte value into the shared folio. Because containers share the same address_space, the modification propagates to any pod that accesses the underlying inode.

The researchers outline two practical attack paths. First, a compromised pod can poison a widely shared lower‑layer file—such as a Python module or glibc library—so every co‑located container reads the tampered bytes on its next cache hit, evading disk‑based scanners. Second, an attacker inside an unprivileged container can rewrite a setuid binary and escape to a host root shell, achieving full system takeover.