CopyFail Roots Every Linux, 5,000 Vibe-Coded Apps Leak Data, and Pwn2Own Drops 24 Zero-Days

It's one of those weeks where the headlines read like a cybersecurity thriller. A single 732-byte Python script can root virtually every Linux machine shipped since 2017. Thousands of applications built with AI coding tools are spilling corporate secrets onto the open web. And at Pwn2Own Berlin, researchers shattered records by demonstrating 24 unique zero-day vulnerabilities in a single day — including multiple hacks against Windows 11 and Microsoft Edge.

Together, these stories paint a picture of an industry at an inflection point: the same AI revolution that's accelerating software development is simultaneously expanding the attack surface in ways we're only beginning to understand. Let's break down the five most important stories from this week and what they mean for developers, security teams, and the broader tech ecosystem.

CopyFail: The Linux Exploit That Roots Everything

Security firm Theori publicly released exploit code for CVE-2026-31431, dubbed "CopyFail" — a local privilege escalation vulnerability in the Linux kernel that gives unprivileged users root access on virtually every distribution. The flaw exists in the kernel's crypto API (specifically authencesn), and unlike typical race-condition exploits that are unreliable, CopyFail exploits a straightforward logic bug that works consistently across Ubuntu, Debian, Amazon Linux, SUSE, and others.

The exploit chains through AF_ALG and splice() to achieve a 4-byte page-cache write — silently, without triggering standard security monitoring. As Jorij Snijders of Theori put it: "Local privilege escalation" sounds dry, but in 2026, "local access" means every container on a shared Kubernetes node, every CI/CD pipeline, and every WSL2 instance. The kernel security team patched the vulnerability in versions 7.0, 6.19.12, 6.18.12, 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254 — but many distributions hadn't incorporated those fixes at the time of public disclosure.

If you're running Linux in production — and statistically, you almost certainly are — patch immediately. This is being compared to Dirty Pipe and Dirty Cow in severity. For a deeper dive into Linux zero-days and how they impact cloud infrastructure, check out our earlier coverage of the Dirty Frag vulnerability.

5,000+ Vibe-Coded Apps Are Quietly Leaking Corporate Data

Security researchers at RedAccess, led by Dor Zvi, conducted a sweeping analysis of web applications built using popular AI coding platforms — Lovable, Replit, Base44, and Netlify — and discovered more than 5,000 apps with virtually no security or authentication. Around 40% of these apps contained sensitive data including medical information, financial records, corporate strategy documents, and detailed customer chat logs.

The root cause isn't a bug in the AI tools themselves — it's a fundamental gap in how non-technical users interact with them. Marketing teams, HR departments, and other non-developers are building production web applications by prompting AI, and the tools faithfully execute instructions without adding security measures unless explicitly asked. There's no default authentication, no rate limiting, no access controls. If you can find the URL, you can access the data.

This represents what may be one of the largest data exposure events driven by the "vibe-coding" movement — and it's a problem that's only accelerating as AI coding tools become more accessible. The lesson is clear: democratizing software development is powerful, but it requires democratizing security awareness alongside it. For organizations navigating this new landscape, zero-trust security architectures are no longer optional — they're essential.

Pwn2Own Berlin 2026: 24 Zero-Days in a Single Day

The annual Pwn2Own hacking competition, running alongside OffensiveCon in Berlin, opened with a bang: researchers demonstrated 24 unique zero-day vulnerabilities on day one alone, collecting $523,000 in bounties. The highlight was Cheng-Da Tsai (Orange Tsai), who earned $175,000 for chaining four logic bugs to achieve a sandbox escape on Microsoft Edge — one of the most sophisticated exploitation chains seen in recent competition history.

Windows 11 was hacked three separate times by different teams: Angelboy and TwinkleStar03 from the DEVCORE Internship Program, Marcin Wiązowski, and Kentaro Kawane of GMO Cybersecurity — each earning $30,000 for demonstrating new privilege escalation zero-days. Valentina Palmiotti (chompie) of IBM X-Force also collected $20,000 after rooting Red Hat Linux for Workstations.

This year's competition notably expanded its target scope to include AI databases, coding agents, local inference systems, and NVIDIA products — reflecting the industry's recognition that AI infrastructure is now critical enterprise attack surface. The results serve as a stark reminder: even the most widely deployed software in the world harbors critical, unknown vulnerabilities, and the pace of discovery is accelerating.

Anduril Raises $5B, Doubling Valuation to $61 Billion

Defense technology startup Anduril announced a $5 billion funding round led by Thrive Capital and a16z, doubling its valuation to $61 billion — making it one of the most valuable private companies in the world. The round comes on the heels of Anduril booking $2.2 billion in revenue for 2025, a 2x year-over-year increase, and expanding its international contracts beyond the U.S. Department of Defense.

CEO Brian Schimpf framed the raise as evidence that defense tech has evolved from a niche investment category to a mainstream VC thesis — a dramatic reversal from when Anduril was founded in 2017, when Silicon Valley largely avoided military contracts. The company's autonomous systems, surveillance towers, and AI-powered platforms have become central to modern defense strategy, and this funding positions Anduril to compete at the highest level globally.

What's particularly notable is the "circular investment" pattern emerging in defense tech, similar to what we've seen with Nvidia's $40 billion AI equity strategy: investors fund the builders, who then supply the very infrastructure that enables the next wave of investment. In Anduril's case, that infrastructure is national security.

Senate Advances CLARITY Act, First Comprehensive U.S. Crypto Regulation

The U.S. Senate Banking Committee passed the CLARITY Act, the first comprehensive cryptocurrency regulation bill to advance to a full Senate vote. The vote exposed a Democratic split: Senators Ruben Gallego (D-AZ) and Angela Alsobrooks (D-MD) broke ranks to support the bill alongside all Republican committee members, despite earlier indications they would vote no without an ethics deal limiting the president's personal crypto ventures.

The bill, if passed and signed into law, would formally legalize most cryptocurrency activity in the United States and provide regulatory clarity that the industry has been seeking for years. However, it will need support from at least seven Democrats on the Senate floor to ultimately pass — a significant hurdle. Coinbase and other crypto industry players are key backers of Fairshake, a political action committee that has been scoring lawmakers based on their crypto votes.

The CLARITY Act's advancement comes at a pivotal moment: Bitcoin ETF outflows hit $635 million this week as BTC dipped below $80,000, while JPMorgan increased its Bitcoin ETF exposure and Tether's T3 Financial Crime Unit froze $450 million in illicit crypto assets. The message from institutional players is clear — they want regulatory clarity before committing deeper capital, and the CLARITY Act is the closest they've come to getting it.

The Big Picture

This week's stories share a common thread: the friction between democratization and security. AI coding tools let anyone build software, but that software is leaking data. AI-powered vulnerability research is finding more bugs than ever — and the bugs are getting more severe. And in the startup world, the companies building the infrastructure for both defense and finance are attracting record capital precisely because the stakes have never been higher.

For developers and security professionals, the takeaway is unambiguous: the attack surface is expanding faster than our ability to defend it. Patch your Linux systems. Audit your AI-generated applications. And assume that every zero-day demonstrated at Pwn2Own will be weaponized within weeks, if not days.

The tools are getting better — for both builders and breakers. The question is whether our security practices are evolving at the same rate.