libraz

English

日本語

English

日本語

Appearance

May 04, 2026/#security#aiENJA

Found in Hours

The other morning, a CVE came through my RSS. CVE-2026-31431. Copy Fail. A flaw in the Linux kernel's algif_aead module that lets you trigger a four-byte write into the page cache, rewrite a setuid binary, and take root. The exploit is a 732-byte Python script. It had been sitting there since 2017. Nine years unnoticed.

It's a local exploit, so nothing public-facing gets taken over the moment the news breaks. From the operator's side, it's closer to a routine event. Drop a blacklist into modprobe.d, schedule a reboot, done. The IDC fleet was in scope too, so I rolled the change out across every machine with Ansible. Claude Code wrote the playbook. All I did was set direction and approve.

What surprised me was how it was found. A researcher at Theori reportedly asked their own AI tool to trace every path through the kernel's crypto/ subsystem reachable from a userspace syscall. Hours later, it came back with this. A logic bug humans had missed for nine years.

There have been big ones before. Heartbleed, an out-of-bounds memory read. Dirty COW, a copy-on-write race. Log4Shell, a recursive JNDI lookup. Humans found all of them — reading commit logs, writing fuzzers, running debuggers in the middle of the night. Copy Fail's "hours" are on a different timescale.

AI moved in on the side that writes code. Now it's on the side that breaks it. From here on, both sides run in parallel. The CVE count is going to climb. The version of me still reading RSS by hand suddenly looks dated. Hand that step off to an LLM too. Let it filter what's relevant and push the matches into Discord. Without AI on both sides, only the finders get a head start.

Still, as long as it's reported, that's the saving grace. A number gets assigned. The mailing list debates it. The patch lands upstream. The distros pick it up. Anything visible can be acted on. In that sense, this Copy Fail came out on the 'good outcome' side.

What scares me is the timeline where the same prompt went to someone who wasn't a researcher. Faster discovery means the malicious side's stockpile is growing faster too. The findings that never get reported probably outnumber the ones that do, by far.

You can be breached and never know it. That's the scariest part. The root of this hasn't changed in twenty years. What changed is just how fast the finders work.

Ansible comes back green. Discord lights up with the completion message. The next CVE is probably already being written by some AI somewhere.

© 2026 libraz · All bugs are considered features.