9-Year-Old Linux Kernel Vulnerability “Copy Fail” Enables Full Root Access

Summary

A critical Linux kernel vulnerability dubbed "Copy Fail" (CVE-2026-31431) has existed since 2017 in the algif_aead cryptographic module, allowing attackers to write data into the page cache and modify privileged binaries in memory to gain root access. Discovered by Theori's Xint Code research team using AI-powered code auditing, the flaw is reliable across multiple Linux distributions including Ubuntu 24.04 LTS, Amazon Linux 2023, and RHEL 10.1, exploitable via a simple 732-byte Python script with minimal forensic traces. Linux has released a patch (commit a664bf3d603d), and users unable to patch immediately should disable the algif_aead module.

Full text

Security9-Year-Old Linux Kernel Vulnerability “Copy Fail” Enables Full Root Access Linux Kernel Vulnerability “Copy Fail” lets attackers gain root access via memory flaw. Patch now or disable algif_aead to stay secure. byDeeba AhmedApril 30, 20263 minute read Offensive security research firm Theori discovered a bug in the Linux kernel that, surprisingly, has existed since 2017. The flaw, dubbed Copy Fail and tracked as CVE-2026-31431, allows a regular user to take total control of a computer system. The Xint Code Research Team at Theori used their AI-powered code auditing tool to find this hidden error after an initial lead from researcher Taeyang Lee. The problem lies in how Linux handles security tasks within its cryptographic subsystem, specifically the algif_aead module. A Tiny Script with Massive Impact You need to know about the page cache to understand this flaw. A Page cache is a part of computer memory that stores bits of files so they can be read quickly without checking the storage drive every time. Copy Fail happens because of a mistake in authencesn tool, which uses a security method called the AEAD algorithm to lock data and check for tampering. When this tool tries to organise data for network security, it accidentally writes four bytes of information into the wrong place. Due to a separate speed-up change added to the Linux code in 2017, those four bytes end up inside the page cache of important files. By using a Python script that is only 732 bytes long, threat actors can edit a file’s memory like /usr/bin/su (a program that runs with high privileges). So, while the file on the actual disk remains unchanged, the version running in the memory gets modified. This lets the attackers obtain a root shell, basically becoming the system administrator with the highest access level. https://copy.fail/public/demo.mp4 Demo shared by the researchers Why This Is Different Most security flaws are hard to use because they either require perfect timing or multiple tries, but Copy Fail is different, as it’s a logic bug and works the same way every time. Xint Code researchers have found that the same simple script works on different versions of Linux, including Ubuntu 24.04 LTS, Amazon Linux 2023, Red Hat Enterprise Linux 10.1, and SUSE 16. It also leaves minimal forensic traces since the changes happen in memory instead of the disk. That’s why many security tools that check for file integrity didn’t detect it in all these years. Even now, the discovery was made possible through scanning millions of lines of code using the Xint Code platform. Linux has released a fix that changes how the system handles this data. From the code’s risky in-place method that was prone to leaking data into memory parts it wasn’t supposed to, the fix forces the system to make a safe copy of the data in a separate area, preventing any accidental overwrites. Users are urged to update to the latest kernel patch, specifically commit a664bf3d603d, while those who cannot update immediately, experts suggest disabling the algif_aead module to block the path that hackers use without affecting daily apps like web browsers or SSH. Expert Perspective In a comment shared with Hackread.com, David Brumley, Chief AI and Science Officer at Bugcrowd, highlighted the extreme severity of the find. “If you described this bug to a top kernel researcher… they’d tell you this is the kind of thing that, when it exists at all, tends to sell on the broker market for the price of a house,” Brumley noted. He explained that what makes Copy Fail so dangerous is its reliability across distributions: “This is a straight-line logic flaw. Reliability isn’t probabilistic, and the same script works across distributions.” Brumley also warned that the “high” (rather than critical) severity score should not lead to complacency, especially for those using shared servers. “The page cache is shared. A write from one container affects the host page cache, and therefore every other tenant on that host,” he said. He concluded that this discovery marks a shift in cybersecurity: “Copy Fail shows that the assumption that finding a kernel-grade bug is expensive is false going forward… the cost of finding deep logic flaws may have dropped by something like an order of magnitude.” Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts CybersecurityKernelLinuxTheoriVulnerabilityXint Code Leave a Reply Cancel reply View Comments (0) Related Posts Read More Hacking News Security Cloudflare Hacked After State Actor Leverages Okta Breach CloudFlare Servers Were Hacked on Thanksgiving Day Using Auth Tokens Stolen in Okta Breach. byDeeba Ahmed Read More Hacking News Security Google Fi User Data Breached Through T-Mobile Hack Google Fi customers are impacted by the recent T-Mobile breach, as Fi relies on T-Mobile and US Cellular for connectivity. byDeeba Ahmed Read More Security This Website is Selling Billions of Private Messages of Discord Users Millions of Discord messages sold online! Protect yourself from leaked usernames, photos & financial details. Learn how to secure your Discord account. byDeeba Ahmed Read More Security 11 Top DDoS Attack Protection and Mitigation Companies in 2023 A DDoS attack can cripple your servers. Here's a list of DDoS mitigation companies in 2023, along with a brief overview of the DDoS attacks they have effectively mitigated. byWaqas

Indicators of Compromise

• cve — CVE-2026-31431

Entities