Copy Fail Linux Flaw Lets Unprivileged Users Gain Root Access via 732-Byte Python Script

Key facts

• CVE-2026-31431 carries a CVSS score of 7.8.
• The flaw was introduced in a Linux kernel commit in August 2017.
• Exploitation requires only a 732-byte Python script.
• The vulnerability affects Amazon Linux, RHEL, SUSE, Ubuntu, and others.
• Patches have been released in kernel versions 7.0, 6.19.12, 6.18.12, 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254.
• The exploit does not require a race condition or kernel offset.
• Copy Fail is similar to Dirty Pipe (CVE-2022-0847) but in a different subsystem.

A Logic Flaw in the Kernel's Crypto Subsystem

Cybersecurity researchers have disclosed a local privilege escalation vulnerability in the Linux kernel that allows an unprivileged user to gain root access. Tracked as CVE-2026-31431 and dubbed Copy Fail, the flaw has a CVSS score of 7.8 and was introduced in a source code commit made in August 2017. The vulnerability resides in the kernel's cryptographic subsystem, specifically within the algif_aead module. At its core is a logic flaw in the authencesn Authenticated Encryption with Associated Data (AEAD) template, which IPsec uses for Extended Sequence Number (ESN) support. The bug allows an unprivileged local user to write four controlled bytes into the page cache of any readable file on a Linux system, and from there escalate privileges to root.

Exploitation: A Single Script for All Distributions

Successful exploitation can be achieved with a simple 732-byte Python script that works across essentially all Linux distributions shipped since 2017, including Amazon Linux, RHEL, SUSE, and Ubuntu. The script opens an AF_ALG socket, binds to authencesn(hmac(sha256),cbc(aes)), constructs shellcode payload, triggers a write operation to the kernel's cached copy of "/usr/bin/su", and then calls execve("/usr/bin/su") to load the injected shellcode and run it as root. What makes Copy Fail particularly dangerous is that it can be reliably triggered without any race condition or kernel offset. "Reliability isn't probabilistic, and the same script works across distributions," researchers from Bugcrowd wrote. The exploit does not require modification for different kernel versions or distributions.

Impact on Multi-Tenant and Containerized Environments

The vulnerability poses a high risk for multi-tenant Linux environments, as well as for shared-kernel containers and CI runners executing untrusted code. Because the page cache is shared across all processes on a system, the flaw can be exploited to break out of containers based on Kubernetes or other frameworks, and to create malicious pull requests that pipe the exploit code through CI/CD workflows. "An attacker who already has some way to run code on the machine, even as the most boring unprivileged user, can promote themselves to root," researcher Jorijn Schrijvershof wrote. "From there they can read every file, install backdoors, watch every process, and pivot to other systems." All changes are made directly in memory, leaving the file on disk unmodified, which makes detection more difficult.

Disclosure and Patch Gap

Theori privately disclosed the vulnerability to the Linux kernel security team five weeks before releasing the exploit code publicly on Wednesday evening. The kernel team patched the flaw in versions 7.0, 6.19.12, 6.18.12, 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254, but few Linux distributions had incorporated those fixes at the time of the public disclosure. This has created a situation described as a "zero-day patch gap." Will Dormann, a senior principal vulnerability analyst at Tharros Labs, criticized the coordination: "The org doing the disclosure… did an absolutely terrible job of vulnerability coordination. What is mind boggling to me is that in their writeup they both: A) list 4 affected vendors, and B) tell readers to apply vendor patches. But before firing away with the publication, they didn’t bother to see if ANY of the vendors that they list ACTUALLY HAVE PATCHES. (None do)." Distributions known to have patched the vulnerability include Arch Linux and RedHat Fedora, while others had only released mitigation guidance at the time of reporting.

Comparison to Dirty Pipe and Dirty Cow

Copy Fail belongs to the same class of page cache corruption vulnerabilities as Dirty Pipe (CVE-2022-0847) and Dirty Cow (CVE-2016-5195). However, it differs in its mechanism: Dirty Pipe abused pipe buffer flags, while Dirty Cow exploited a race condition in the copy-on-write path. Copy Fail, by contrast, stems from a "straight-line" logic flaw in the kernel's crypto API. "Copy Fail is the same class of primitive, in a different subsystem," said David Brumley of Bugcrowd. "The 2017 in-place optimization in algif_aead allows a page-cache page to end up in the kernel’s writable destination scatterlist for an AEAD operation submitted over an AF_ALG socket. An unprivileged process can then drive splice into that socket and complete a small, targeted write into the page cache of a file it doesn't own." Both Dirty Pipe and Dirty Cow were actively exploited in the wild.

Remediation and Outlook

Organizations are advised to update their Linux distributions to a fixed version as soon as possible, especially in environments running untrusted workloads. The patches for Copy Fail remove the optimization introduced in 2017, reverting to out-of-place operation and eliminating the mechanism that linked page cache tag pages into the writable destination scatterlist. Security experts have described Copy Fail as one of the "worst make-me-root vulnerabilities in the kernel in recent times." With the exploit code publicly available and many systems still unpatched, the window for potential attacks is wide open. System administrators should prioritize patching and monitor for signs of exploitation, particularly in multi-tenant and containerized environments.

The bottom line

• CVE-2026-31431 (Copy Fail) is a high-severity Linux kernel flaw that allows unprivileged users to gain root access via a 732-byte Python script.
• The vulnerability affects all major Linux distributions shipped since August 2017, including Amazon Linux, RHEL, SUSE, and Ubuntu.
• Exploitation does not require a race condition or kernel offset, making it reliably exploitable across different kernel versions and distributions.
• The flaw poses significant risks to multi-tenant servers, Kubernetes containers, and CI/CD pipelines due to shared page cache.
• Patches have been released in upstream kernel versions, but many distributions had not yet applied them at the time of public disclosure, creating a zero-day patch gap.
• Organizations should urgently update their Linux systems and apply vendor patches to mitigate the risk of compromise.