‘Copy Fail’ Logic Flaw in Linux Kernel Enables System Takeover

Summary

A high-severity logic bug in the Linux kernel's AEAD cryptographic template, affecting all distributions since 2017, allows unprivileged attackers to write arbitrary code to other processes' memory and obtain root shell access. Tracked as CVE-2026-31431 with a CVSS score of 7.8, the vulnerability can be exploited with a simple 732-byte Python script and poses significant risk in multi-tenant environments, shared-kernel containers, and CI runners. The issue stems from a 2017 optimization that placed page cache pages in a writable scatterlist, enabling attackers to corrupt in-memory copies of setuid-root binaries while leaving disk files unmodified.

Full text

A high-severity logic bug in the Linux kernel allows unprivileged attackers to write code to other files’ memory and obtain root shell, cybersecurity firm Theori reports. Tracked as CVE-2026-31431 (CVSS score of 7.8) and dubbed Copy Fail, the issue is believed to affect all Linux distributions since 2017. The security defect impacts the kernel’s authencesn Authenticated Encryption with Associated Data (AEAD) template, which IPsec uses for Extended Sequence Number (ESN) support. According to Theori, the issue is that Linux places page cache pages in a writable scatterlist, that authencesn uses the caller’s destination scatterlist as scratch space, and that a 2017 optimization put page cache pages in the writable scatterlist. When performing byte rearrangement in the scratch space, authencesn makes a call that writes four bytes of code past the AEAD tag, into the cached copy of another file. Copy Fail allows an attacker with local code execution privileges to modify the in-memory copy of any setuid-root binary readable by the user, thus achieving root shell access, Theori explains. Advertisement. Scroll to continue reading. According to the company, successful exploitation can be achieved with a simple 732-byte Python script, on essentially any Linux distribution shipped since 2017. The vulnerability poses a high risk for multi-tenant Linux environments, as well as for shared-kernel containers and CI runners executing untrusted code. The main threat, Theori says, is that all changes are made directly in memory, and the file on disk remains unmodified. Copy Fail differs from both Dirty Pipe, a page cache corruption flaw that abuses pipe buffer flags, and Dirty Cow, which exploits a race condition in the COW path, the company says. Organizations are advised to update their Linux distributions to a fixed version as soon as possible, especially in environments running untrusted workloads. According to Theori, page cache is shared across containers, and the bug leads to node and cross-tenant compromise. The patches rolled out for Copy Fail remove the optimization introduced in 2017, reverting to out-of-place operation and removing the mechanism that “linked page cache tag pages into the writable destination scatterlist,” Theori notes. Related: Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access Related: No Patch for New PhantomRPC Privilege Escalation Technique in Windows Related: OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 Years Related: Incomplete Windows Patch Opens Door to Zero-Click Attacks Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Chrome 147, Firefox 150 Security Updates Rolling OutAlleged Chinese State Hacker Extradited to USDozens of Open VSX Extension Clones Linked to GlassWorm MalwareNo Patch for New PhantomRPC Privilege Escalation Technique in WindowsSpectrum Security Emerges From Stealth Mode With $19 MillionIncomplete Windows Patch Opens Door to Zero-Click AttacksOpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 YearsUNC6692 Uses Email Bombing, Social Engineering to Deploy ‘Snow’ Malware Latest News EnOcean SmartServer Flaws Expose Buildings to Remote HackingCritical cPanel & WHM Vulnerability Exploited as Zero-Day for MonthsSandhills Medical Says Ransomware Breach Affects 170,000Fresh LiteLLM Vulnerability Exploited Shortly After DisclosureHundreds of Internet-Facing VNC Servers Expose ICS/OTCheckmarx Confirms Data Stolen in Supply Chain AttackIranian Cyber Group Handala Targets US Troops in Bahrain38 Vulnerabilities Found in OpenEMR Medical Software Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveMongoDB has appointed Doug Bowers as Chief Information Security Officer.Ben Wilkens has been promoted to Director of Cybersecurity at NMFTA.Cato Networks has appointed Meital Koren as Chief Legal Officer.More People On The MoveExpert Insights The Mythos Moment: Enterprises Must Fight Agents with Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Why Cybersecurity Must Rethink Defense in the Age of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-31431

Entities