- Experts Reveal CopyFail Affecting Linux Distributions
- All Linux kernels released after 2017 are vulnerable
- Users urged to update patch now or risk account takeover
Security experts have warned of a major new vulnerability affecting Linux kernels, urging users to apply patches and upgrades without delay.
The critical privilege escalation flaw, discovered by Theori experts and dubbed “Copy Fail,” can grant root privileges on all major Linux distributions, with containerized environments particularly vulnerable.
All Linux kernels released after 2017 are vulnerable to this issue, which could allow an unprivileged local attacker to gain root permissions – but fixes are now available to allow users to secure their systems.
Article continues below
Update now
Tracked as CVE-2026-31431, the exploit, which is just 732 bytes of Python code rooting Ubuntu, Amazon Linux, RHEL, and SUSE, is “a straight-line logic flaw,” requiring no race conditions or kernel-specific compensation.
He added that the problem “is a logical bug in the Linux kernel authentication cryptographic model,” meaning an authenticated user can reliably perform “a 4-byte write to the page cache of any file readable on the system.”
BeepComputer notes that by combining the ‘AF_ALG’ socket-based interface, which provides access to the Linux kernel’s encryption functions from user space, and the splice() system call, this means that an unprivileged user can perform a controlled write of 4 bytes to a file’s page cache, instead of a normal buffer – and if those 4 bytes reach a setuid-root binary, they can change its behavior when executed, giving the attacker root privileges.
Theori says it found the flaw using Xint Code, its AI-powered penetration testing platform, which had been tasked with analyzing Linux crypto/sybsystem issues.
“Same script, four distributions, four root shells – in one take. The same exploit binary works without modification on every Linux distribution,” his blog post explains.
Theori says he reported his findings to the Linux kernel security team on March 23, 2026, and the patches became available within a week. He also created a proof-of-concept exploit for the flaw, which he says is “100% reliable” on the major Linux distributions listed above.
“Copy Fail is not the story of a single bug or a team’s tools. This is a data point that the cost of finding deep logic flaws may have decreased by an order of magnitude,” noted David Brumley, Director of AI and Chief Scientist at Bugcrowd.
“If your threat model still considers kernel LPEs rare, you probably have weeks to update it, not years. »
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
