New Linux ‘Copy Fail’ flaw gives hackers root on major distros

Summary

A local privilege escalation vulnerability dubbed 'Copy Fail' (CVE-2026-31431) has been discovered in Linux kernels released since 2017, allowing unprivileged local attackers to gain root permissions. Discovered by Theori using its AI-driven pentesting platform, the flaw is a logic bug in the kernel's cryptographic template that enables a 4-byte controlled write to the page cache. A 732-byte Python exploit achieving 100% reliability has been publicly released, and patches are available in kernel versions 6.18.22, 6.19.12, and 7.0.

Full text

New Linux ‘Copy Fail’ flaw gives hackers root on major distros By Bill Toulas April 30, 2026 09:54 AM 0 An exploit has been published for a local privilege escalation vulnerability dubbed “Copy Fail” that impacts Linux kernels released since 2017, allowing an unprivileged local attacker to gain root permissions. The vulnerability is tracked as CVE-2026-31431 and was discovered by the offensive security company Theori, using its AI-driven pentesting platform Xint Code after scaning the Linux crypto/ sybsystem for about an hour. Theori reported the finding to the Linux kernel security team on March 23, and patches became available within a week. Technical details and a proof-of-concept exploit for the flaw emerged publicly yesterday. Although the cybersecurity company developed and tested a "100% reliable" Python-based exploit for four Linux distributions (Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16), the researchers say that the 732-byte "script roots every Linux distribution shipped since 2017." Copy Fail root cause In a detailed write-up, the researchers say that the Copy Fail (CVE-2026-31431) issue "is a logic bug in the Linux kernel's authencesn cryptographic template" that allows an authenticated user to reliably perform a "4-byte write in to the page cache of any readable file on the system." By combining the ‘AF_ALG’ socket-based interface, which gives access to the Linux kernel crypto functions from user space, and the splice() system call, an unprivileged user can make a 4-byte controlled write in the page cache of a file, instead of a normal buffer. If those 4 bytes hit a setuid-root binary, they can alter its behavior when executed, giving the attacker root privileges. The flaw was introduced in 2017, when the Linux kernel team added an “in-place” optimization to the crypto path, meaning it began reusing the same buffer rather than keeping input and output strictly separate. Impact and fixes Theori's PoC is a consistently effective 732-byte exploit that gives root to every major Linux distribution that runs on a vulnerable Linux Kernel version, the researchers say. They demonstrated and confirmed the Copy Fail exploit on Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16: Getting root shell on four Linux distributionsSource: Xint Code Copy Fail is characterized as being closer to the ‘Dirty Pipe’ vulnerability than typical local privilege escalation flaws, is more reliable (claimed 100% success), and is more broadly exploitable than most bugs in this class. Even when compared to Dirty Pipe, Copy Fail is deemed more practical. “Copy Fail is more portable. One script, every distro, no offsets. Dirty Pipe needed kernel ≥ 5.8 with specific patches; Copy Fail covers the entire 2017–2026 window,” Theori researchers note. CVE-2026-31431 was fixed upstream on April 1st by reverting the problematic “in-place” crypto behavior introduced in the Linux kernel version 4.14 in 2017. The fixes were made available in versions 6.18.22, 6.19.12, and 7.0. According to the researchers, major Linux distributions are already pushing the fix via kernel updates. However, Tharros' principal vulnerability analyst, Will Dormann, notes that there are no "official updates for CVE-2026-31431." "Fedora 42 and newer have updates, but no official advisory or acknowledgement of CVE-2026-31431," Dormann says. As an interim mitigation for those who haven’t received the updates yet, the researchers recommend disabling the vulnerable crypto interface, which would block AF_ALG socket creation, or disabling the algif_aead module: echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf rmmod algif_aead Theori researchers suggest treating multi-tenant Linux hosts, Kubernetes/container clusters, CI runners/build farms, and cloud SaaS running user code as a priority in the patching effort. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: New ‘Pack2TheRoot’ flaw gives hackers root Linux accessDisgruntled researcher leaks “BlueHammer” Windows zero-day exploitRecently leaked Windows zero-days now exploited in attacksCISA flags Windows Task Host vulnerability as exploited in attacksCISA orders feds to patch exploited Fortinet EMS flaw by Friday

Indicators of Compromise

• cve — CVE-2026-31431

Entities