who is affected
If your kernel was built between 2017 and the patch – which covers essentially every mainstream Linux distribution – you’re in scope.
Copy Fail requires only an unprivileged local user account – no network access, no kernel debugging features, no pre-installed primitives. Kernel Crypto API (AF_ALG) ships enabled in the default configuration of essentially every mainstream distro, so the entire 2017 → patch window is running out of the box.
Distributions that we verified directly:
| Distribution | kernels |
|---|---|
| ubuntu 24.04 lts | 6.17.0-1007-aws |
| amazon linux 2023 | 6.18.8-9.213.amzn2023 |
| RHEL 14.3 | 6.12.0-124.45.1.el10_1 |
| SUSE 16 | 6.12.0-160000.9-default |
These are the ones we tested directly. Other distributions running affected kernels – Debian, Arch, Fedora, Rocky, Alma, Oracle, Embedded Crowd – behave similarly. Tested it somewhere else? Open an issue to add to the list.
Should you apply the patch first?
multi-tenant linux host
Shared dev boxes, shells-as-a-service, jump hosts, build servers – anywhere multiple users share a kernel.
any user becomes root
Kubernetes/Container Cluster
The page cache is shared across the host. A pod with the correct primitives compromises the node and crosses tenant boundaries.
cross-container, cross-tenant
CI runner and form creation
GitHub Actions Self-hosted runners, GitLab runners, Jenkins agents – anything that executes untrusted PR code as a regular user on a shared kernel.
Roots on a PR runner
Cloud SaaS Running User Code
Notebook host, agent sandbox, serverless functions, no tenant supplied containers or scripts.
tenant host becomes root
standard linux server
Single-tenant production where only your team has shell access.
internal LPE; Web RCE or Stolen Credential Chains
Single-user laptops and workstations
You are already the only user. The bug itself does not provide access to remote attackers, but any local code execution becomes root.
stepping up after exploitation
<a href