New Linux ‘Copy Fail’ flaw gives hackers root on major distros
Phong Xuan
An exploit has been published for a local privilege escalation vulnerability dubbed “Copy Fail” that impacts Linux kernels released since 2017, allowing an unprivileged local attacker to gain root permissions.
The vulnerability is tracked as CVE-2026-31431 and was discovered by the offensive security company Theori, using its AI-driven pentesting platform Xint Code after scaning the Linux crypto/ sybsystem for about an hour.
Theori reported the finding to the Linux kernel security team on March 23, and patches became available within a week. Technical details and a proof-of-concept exploit for the flaw emerged publicly yesterday.
Although the cybersecurity company developed and tested a "100% reliable" Python-based exploit for four Linux distributions (Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16), the researchers say that the 732-byte "script roots every Linux distribution shipped since 2017."
Copy Fail root cause
In a , the researchers say that the Copy Fail (CVE-2026-31431) issue "is a logic bug in the Linux kernel's authencesn cryptographic template" that allows an authenticated user to reliably perform a "4-byte write in to the page cache of any readable file on the system."
By combining the ‘AF_ALG’ socket-based interface, which gives access to the Linux kernel crypto functions from user space, and the splice() system call, an unprivileged user can make a 4-byte controlled write in the page cache of a file, instead of a normal buffer.
If those 4 bytes hit a setuid-root binary, they can alter its behavior when executed, giving the attacker root privileges.
The flaw was introduced in 2017, when the Linux kernel team added an “in-place” optimization to the crypto path, meaning it began reusing the same buffer rather than keeping input and output strictly separate.
Impact and fixes
Theori's PoC is a consistently effective 732-byte exploit that gives root to every major Linux distribution that runs on a vulnerable Linux Kernel version, the researchers say.
They demonstrated and confirmed the exploit on Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16:
Getting root shell on four Linux distributions
Source: Xint Code
is characterized as being closer to the ‘’ vulnerability than typical local privilege escalation flaws, is more reliable (claimed 100% success), and is more broadly exploitable than most bugs in this class. Even when compared to Dirty Pipe, Copy Fail is deemed more practical.
“Copy Fail is more portable. One script, every distro, no offsets. Dirty Pipe needed kernel ≥ 5.8 with specific patches; Copy Fail covers the entire 2017–2026 window,” Theori researchers note.
was fixed upstream on April 1st by reverting the problematic “in-place” crypto behavior introduced in the Linux kernel version 4.14 in 2017. The fixes were made available in .
According to the researchers, major Linux distributions are already pushing the fix via kernel updates. However, Tharros' principal vulnerability analyst, Will Dormann, notes that there are no "official updates for CVE-2026-31431."
"Fedora 42 and newer have updates, but no official advisory or acknowledgement of CVE-2026-31431," .
As an interim mitigation for those who haven’t received the updates yet, the researchers recommend disabling the vulnerable crypto interface, which would block AF_ALG socket creation, or disabling the algif_aead module:
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf rmmod algif_aead
Theori researchers suggest treating multi-tenant Linux hosts, Kubernetes/container clusters, CI runners/build farms, and cloud SaaS running user code as a priority in the patching effort.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.
