New Linux 'Copy Fail' flaw gives hackers root on major distros

A critical local privilege escalation vulnerability known as "Copy Fail" has been discovered in Linux kernels, affecting systems released since 2017 and enabling unprivileged attackers to obtain root-level access. Security researchers have now published a working exploit for this significant security flaw.

The vulnerability, designated as CVE-2026-31431, was identified by offensive security firm Theori through their AI-powered penetration testing platform, Xint Code. The discovery occurred during a focused one-hour scan of the Linux crypto/ subsystem, demonstrating the effectiveness of automated security analysis tools.

Following responsible disclosure protocols, Theori notified the Linux kernel security team on March 23. The development community responded swiftly, delivering patches within a week. However, technical documentation and a proof-of-concept exploit became publicly available yesterday, raising immediate concerns for system administrators.

The research team has successfully developed and validated a highly reliable Python-based exploit targeting four major Linux distributions: Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16. According to the researchers, their compact 732-byte script demonstrates universal effectiveness across all Linux distributions shipped since 2017, claiming a 100% success rate.

Understanding the Copy Fail vulnerability

The technical analysis reveals that Copy Fail represents a logic error within the Linux kernel's cryptographic authentication template. This flaw enables authenticated users to execute a controlled 4-byte write operation into the page cache of any readable system file, creating significant security implications.

The vulnerability exploits a combination of the AF_ALG socket-based interface, which provides user-space access to Linux kernel cryptographic functions, and the splice() system call. This combination allows unprivileged users to perform targeted write operations in file page caches rather than standard buffers.

When these 4-byte modifications target setuid-root binaries, attackers can manipulate program behavior during execution, ultimately achieving root privilege escalation. The vulnerability traces back to 2017 when Linux kernel developers implemented an "in-place" optimization for cryptographic operations, consolidating input and output buffers instead of maintaining strict separation.

Scope of impact and available solutions

Theori's proof-of-concept demonstrates consistent effectiveness as a 732-byte exploit capable of providing root access across major Linux distributions running vulnerable kernel versions. The research team has verified successful exploitation on Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16.

Security experts characterize Copy Fail as more similar to the notorious Dirty Pipe vulnerability than typical local privilege escalation flaws. However, Copy Fail exhibits superior reliability with its claimed 100% success rate and broader exploitability compared to similar vulnerabilities in this category.

"Copy Fail demonstrates enhanced portability characteristics," note the Theori researchers. "One script works across every distribution without requiring specific offsets. While Dirty Pipe required kernel versions ≥ 5.8 with particular patches, Copy Fail affects the entire 2017–2026 timeframe."

The upstream fix for CVE-2026-31431 was implemented on April 1st by reversing the problematic "in-place" cryptographic behavior introduced in Linux kernel version 4.14. The corrections are available in kernel versions 6.18.22, 6.19.12, and 7.0.

Major Linux distributions are actively distributing the fix through kernel updates. However, principal vulnerability analyst Will Dormann from Tharros observes that official updates for CVE-2026-31431 remain limited. "Fedora 42 and newer versions include updates, but lack official advisory or acknowledgment of CVE-2026-31431," Dormann explains.

For systems awaiting official updates, researchers recommend implementing interim mitigation by disabling the vulnerable cryptographic interface, which prevents AF_ALG socket creation, or disabling the algif_aead module:

echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
rmmod algif_aead

The research team emphasizes prioritizing patch deployment for multi-tenant Linux hosts, Kubernetes and container clusters, CI runners, build farms, and cloud Software-as-a-Service platforms executing user code, as these environments face elevated risk exposure.