Hello to you all. This CVE “Cve-2026-31431” named “Copy Fail” was officially disclosed yesterday. It is a fairly nasty one to boot. I been navigating the OpenWRT forums and they obviously are aware of the impact this might have. I’m curious as to what the GL Inet crew is planning to do as I’m sure they are very well aware of this nasty bug.
This CVE is so bad, it has it’s own web page… “ copy.fail “
If any developer cares to jump in and share what GL Inet is planning to do to address this, I would be very pleased.
They should but realistically most Linux OS don't even have this patched yet like Debian and Ubuntu.
From the OpenWrt forums it seems the master snapshots are fixing this.
But I think they need to wait on this one until their OS of their build server can also apply this fix, otherwise it can be fixed in OpenWrt but the build server is not protected for privilege escalation which is dangerous if a remote server with some dependencies not controlled by them is hacked or poisoned.
Github also had recently a vulnerability fixed it allowed attackers to commit without rights.
I would say that the impact is pretty low for OpenWrt.
The bug can be used to force local privilege escalation. But since everything on OpenWrt runs as root by default ... there is no privilege you can escalate to. Ofc the build pipeline could be affected, but this is a risk you can't really address to OpenWrt as an OS itself.
Actually most mainstream supported linux kernels/distros do have this patched already, including Debian. However, you should verify your distros to be sure they are running confirmed non-vulnerable kernels.
As Admon mentioned, OpenWrt — including our firmware — only the root user is available by default
Therefore, there are no other user accounts that could be exploited or attacked to escalate privileges to root.
Well, there are still situations non root is used.
For docker the user docker, for avahi the user avahi.
It is in the shadow file, but the score of this vulnerability is alot lower in this case.
But if one decides to virtualize docker containers then it can help to have it patched to megitate against rogue containers trying to break out of the isolation.
I know that the test exploit site replaces su by process hollowing, openwrt does not have su, but i guess su is not required for it to privilege escalate.
Of course copy-fail is not a primary attack vector, so a process must be compromised or a user session (likely root anyway as mentioned) would need to be used to gain initial access to the router to attempt to execute the code. and without su, it would be difficult to log in using one of the other service accounts via shell to do this. So you are left with exploiting a non-root user process in order to gain some level of access, then you might be able to execute priv-esc with copy-fail. Is it possible, sure. But I doubt anyone just looking for lulz will spend time on this.
