CVE-2026-31431. 100% Reliable Linux LPE — no race, no per-distro offsets, page-cache write that bypasses on-disk file-integrity tools and crosses containers. Found by Xint Code.
Which is a fairly high hurdle for an attacker in most instances.
With software projects training people that curl <link to their install script> | bash is totally fine and the insane amount of supply chain attacks lately it’s a critical bug that’s just begging to be exploited on single user systems.
So yes, patch your systems and definitely do not downplay this.
With software projects training people that curl <link to their install script> | bash is totally fine and the insane amount of supply chain attacks lately it’s a critical bug that’s just begging to be exploited on single user systems.
I wish the worst case of gout on people who do this. I can’t believe it’s become such an accepted way of installing software.
I have a vague memory of some project that did this ages ago where you could see the script on their web page but when you ran the command it executed a different script (there was a single-character difference in the URL) and the result was it told you not to be so dumb as to run scripts like that.
It was idontplaydarts.com (search it up on Internet Archive). It could detect if you were downloading it directly, or piping it to bash, abd change the script it was delivering accordingly.
Which is a fairly high hurdle for an attacker in most instances. Unless you’re running something like a shared university server.
Definitely patch your systems though.
With software projects training people that
curl <link to their install script> | bashis totally fine and the insane amount of supply chain attacks lately it’s a critical bug that’s just begging to be exploited on single user systems.So yes, patch your systems and definitely do not downplay this.
I wish the worst case of gout on people who do this. I can’t believe it’s become such an accepted way of installing software.
It is still the recommended way to install Rust… M)
But what is bonkers is that pip install can run arbitrary code. The python packaging system is likely to be the next target of such attackers.
I have a vague memory of some project that did this ages ago where you could see the script on their web page but when you ran the command it executed a different script (there was a single-character difference in the URL) and the result was it told you not to be so dumb as to run scripts like that.
It was idontplaydarts.com (search it up on Internet Archive). It could detect if you were downloading it directly, or piping it to bash, abd change the script it was delivering accordingly.
Think of the millions of systems running containers.
What about them?
It also needs the sandboxing. So disable that and get back to work.