Copy Fail
Linux kernel copy_file_range() race-condition LPE — local user escalates to root via cross-filesystem copies; named CopyFail by community / Cloudflare write-up.
A small catalog of vulnerabilities that earned their own names. Every card links to the canonical CVE-detail page on this site so you can pivot from the colloquial name into the full posture record — controls, references, attributed actors, and EU/UK enrichment.
Almost every entry in the CVE corpus is known only by its identifier,
like CVE-2024-3094. A small number cross over into a
memorable name. That crossover is itself a signal: a vulnerability
usually only earns a name when it is easy to weaponise, hits widely
deployed software, or both. Three things tend to produce one.
vulnerabilityName field alongside the CVE ID. That is
the closest thing to an authoritative naming source.The catalog below is a curated pick of those crossover cases. Some names cover a single CVE; others, like ProxyShell, bundle a chain of several. Each card links straight to the full CVE-detail page so you can move from the colloquial name into the underlying record.
Linux kernel copy_file_range() race-condition LPE — local user escalates to root via cross-filesystem copies; named CopyFail by community / Cloudflare write-up.
Signal-handler race in OpenSSH sshd that re-introduced a 2006 RCE — pre-auth, root, exploitable under tight conditions.
Multi-year supply-chain implant in xz-utils that targeted OpenSSH via systemd's liblzma linkage — caught days before it hit stable distros.
SSH BPP prefix-truncation attack that lets a network-level adversary downgrade negotiated parameters and strip channel-binding messages.
Progress MOVEit Transfer SQL injection that Clop weaponized into one of the largest mass-data-exfiltration campaigns on record.
glibc dynamic loader GLIBC_TUNABLES buffer overflow exploitable by any local user to escalate to root on most Linux distros.
Fortra GoAnywhere MFT pre-auth RCE chain — Clop's earlier 2023 mass-exfil campaign and a 2025 recurrence in the same product.
Citrix NetScaler buffer over-read that leaked session tokens, enabling session hijacking — used by LockBit and others against major orgs.
Spring Core RCE via parameter binding to ClassLoader fields — the spring-framework equivalent of Log4Shell.
Polkit pkexec argv parsing flaw — any unprivileged local user becomes root, present in Linux for 12+ years before disclosure.
Exchange Server SSRF + post-auth PowerShell RCE pair, exploited as a 0-day before Microsoft shipped a fix.
Office MSDT URI handler executed arbitrary PowerShell from a Word document — no macros required.
Linux pipe-buffer flag mishandling let an unprivileged user overwrite data in arbitrary read-only files.
Heap-based buffer overflow in sudo's argument parsing, exploitable by any local user to gain root — affected default installs across most distros.
Exchange Server pre-auth RCE chain (path confusion + privilege escalation + arbitrary write) used heavily by ransomware crews.
Exchange SSRF chained into pre-auth RCE — the HAFNIUM mass-compromise spree of early 2021.
Windows Print Spooler RCE/LPE pair — Microsoft patched it, then re-patched, then re-patched again.
Office DOCX MSHTML ActiveX RCE — used in mass campaigns as a Cobalt Strike loader before Follina shipped.
Log4Shell patch-bypass: the 2.15 release still allowed JNDI lookup via certain non-default configurations.
Unauthenticated RCE in Apache Log4j via JNDI lookup substitution in a single logged string.
Netlogon cryptographic flaw let any unauthenticated attacker on the network reset a domain controller's machine password.
SMBv3 compression-header integer overflow giving pre-auth wormable RCE on Windows 10 / Server 2019.
Pre-auth wormable RCE in Windows RDP — Microsoft was alarmed enough to ship XP patches.
Speculative-execution side channel (bounds-check bypass) that leaks data across security boundaries on virtually every modern CPU.
Out-of-order execution side channel on Intel CPUs that let unprivileged code read kernel memory.
WPA2 four-way handshake key-reinstallation flaw that let an attacker decrypt Wi-Fi traffic.
SMBv1 RCE leaked from the NSA via Shadow Brokers; the engine behind WannaCry and NotPetya.
Race condition in the Linux kernel's copy-on-write handling that turned read-only mappings into a local root primitive.
Cross-protocol attack reusing a still-enabled SSLv2 endpoint to break TLS sessions sharing the same RSA key.
Heap buffer overflow in glibc's gethostbyname() reachable from many network-facing daemons.
Bash parsed function definitions out of environment variables, turning CGI servers into remote shells.
SSL 3.0 CBC padding oracle that let a network attacker decrypt session cookies one byte at a time.
OpenSSL TLS heartbeat extension leaked up to 64 KB of process memory per request, exposing keys and passwords.