CopyFail Linux Flaw Grants Root Access Across All Major Distributions; Patches Lag Behind Exploit Release

Key facts

• CVE-2026-31431 (CVSS 7.8) affects all major Linux distributions since a 2017 kernel commit.
• Theori and Xint.io publicly released exploit code on Wednesday evening after a five-week private disclosure.
• The exploit is a single Python script (732 bytes) that works unmodified on Ubuntu 22.04, Amazon Linux 2023, SUSE 15.6, Debian 12, and others.
• The vulnerability stems from a logic flaw in the authencesn AEAD template within the algif_aead module.
• Only Arch Linux and RedHat Fedora had patches available at the time of disclosure; most distributors had not yet incorporated fixes.
• Will Dormann of Tharros Labs called the disclosure coordination 'absolutely terrible,' noting none of the four listed vendors had patches.
• CopyFail is the same class of primitive as Dirty Pipe (CVE-2022-0847) and Dirty Cow (CVE-2016-5195), both actively exploited in the wild.
• The exploit can break out of Kubernetes containers and compromise CI/CD pipelines by corrupting the page cache of setuid binaries.

A Single Script Compromises Decades of Linux Kernels

A critical local privilege escalation vulnerability, tracked as CVE-2026-31431 and dubbed CopyFail, has sent administrators scrambling after researchers released a universal exploit that grants root access on virtually every Linux distribution shipped since August 2017. The flaw, carrying a CVSS score of 7.8, allows an unprivileged local user to write four controlled bytes into the page cache of any readable file — a primitive that can be used to corrupt a setuid binary like /usr/bin/su and execute arbitrary code with full system privileges. The exploit code, a mere 732-byte Python script, was published Wednesday evening by researchers from the security firms Theori and Xint.io. It works reliably across distributions without modification, a stark departure from typical kernel exploits that depend on fragile race conditions or memory corruption. "Reliability isn't probabilistic, and the same script works across distributions," researchers from Bugcrowd noted. "No race window, no kernel offset."

A Logic Flaw in the Kernel's Crypto API

The vulnerability originates in the Linux kernel's cryptographic subsystem, specifically the algif_aead module, which handles authenticated encryption with associated data (AEAD) operations via AF_ALG sockets. A source code commit made in August 2017 introduced an in-place optimization that, under certain conditions, fails to copy data properly. The authencesn AEAD template — used for IPsec extended sequence numbers — "uses the caller's destination buffer as a scratch pad, scribbles 4 bytes past the legitimate output region, and never restores them," Theori explained. This logic flaw means that when an application uses splice to feed a file's page cache as the authentication tag for an AEAD operation, the kernel writes those four bytes directly into the cached copy of the file. Because the page cache is shared across all processes on a system, the attack can also break out of containers, including those managed by Kubernetes, and compromise CI/CD pipelines by injecting malicious code through pull requests.

Disclosure Timeline Sparks Criticism as Patches Lag

Theori and Xint.io privately disclosed the vulnerability to the Linux kernel security team five weeks before the public release. The kernel team patched the flaw in versions 7.0, 6.19.12, 6.18.12, 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254. However, at the time the exploit was made public, few Linux distributions had incorporated those fixes. Only Arch Linux and RedHat Fedora had patches available; distributions such as Ubuntu, Amazon Linux, SUSE, and Debian had only released mitigation guidance, leaving a dangerous window of exposure. Will Dormann, a senior principal vulnerability analyst at Tharros Labs, criticized the disclosure coordination. "What is mind boggling to me is that in their writeup they both: A) list 4 affected vendors, and B) tell readers to apply vendor patches. But before firing away with the publication, they didn't bother to see if ANY of the vendors that they list ACTUALLY HAVE PATCHES. (None do)," he said. Attempts to reach Theori for comment were unsuccessful.

Mitigation Options for Unpatched Systems

For administrators unable to apply a kernel patch immediately, two mitigation strategies exist. If the algif_aead module is loaded as a kernel module, it can be disabled by running: echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf. However, some distributions — including RedHat Enterprise Linux and Windows Subsystem for Linux 2 (WSL2) — compile the module directly into the kernel core, making this approach ineffective. In those cases, administrators must prevent unprivileged users from opening AF_ALG sockets altogether, using seccomp profiles, AppArmor, or SELinux policies. The exploit's simplicity — a single curl command piping the script directly into Python — underscores the urgency. The proof-of-concept is hosted at copy.fail, and the source code is publicly available. Because the exploit operates entirely in memory, it leaves no disk traces and can evade many security suites.

CopyFail Echoes Historic Linux Vulnerabilities

CopyFail belongs to the same class of page-cache corruption vulnerabilities as Dirty Pipe (CVE-2022-0847) and Dirty Cow (CVE-2016-5195), both of which were actively exploited in the wild. Dirty Pipe allowed unprivileged users to overwrite data in read-only files, while Dirty Cow exploited a race condition in memory management. CopyFail's advantage is its reliability: it requires no race condition and works across all affected kernels without adjustment. "Copy Fail is the same class of primitive, in a different subsystem," said David Brumley of Bugcrowd. He explained that the 2017 optimization in algif_aead allows a page-cache page to end up in the kernel's writable destination scatterlist for an AEAD operation. "An unprivileged process can then drive splice into that socket and complete a small, targeted write into the page cache of a file it doesn't own." The vulnerability affects not only bare-metal Linux systems but also virtualized environments, including WSL2 on Windows.

The Stakes for Multi-Tenant and Containerized Environments

The most severe implications are for multi-tenant servers, cloud infrastructure, and containerized deployments. An attacker who already has limited code execution on a machine — for example, through a compromised web application or a malicious container — can instantly escalate to root, then pivot to other systems, install backdoors, and exfiltrate data. Kubernetes clusters that share the host kernel are particularly vulnerable, as the page cache is shared across all containers on a node. "Local privilege escalation sounds dry, so let me unpack it," researcher Jorijn Schrijvershof wrote. "It means: an attacker who already has some way to run code on the machine, even as the most boring unprivileged user, can promote themselves to root. From there they can read every file, install backdoors, watch every process, and pivot to other systems." The exploit's ability to corrupt setuid binaries like su makes it a potent weapon for persistence and lateral movement.

A Race Against Time for System Administrators

With the exploit code now public and no patches available from most major distributors, the situation amounts to a zero-day patch gap — a period during which systems are vulnerable despite a fix existing upstream. Linux distributors often backport fixes to older kernel versions, but the short disclosure window left them scrambling. Theori and Xint.io did not indicate whether they contacted distributors directly, and the disclosure deadline appears to have been set without verifying patch availability. One security expert described CopyFail as the "worst make-me-root vulnerability in the kernel in recent times." The coming days will test the resilience of the Linux ecosystem's patch distribution mechanisms. Administrators are urged to apply kernel updates as soon as they become available or implement the recommended mitigations immediately. The vulnerability's simplicity and reliability mean that automated scanning and exploitation are likely already underway.

The bottom line

• CopyFail (CVE-2026-31431) is a local privilege escalation flaw in the Linux kernel's crypto API, present since August 2017.
• A single 732-byte Python script reliably grants root access on all major distributions without modification.
• The exploit works by corrupting the page cache of setuid binaries via AF_ALG sockets and splice.
• Only Arch Linux and Fedora had patches at disclosure; most distributors lag, creating a zero-day patch gap.
• Mitigations include disabling the algif_aead module or restricting AF_ALG socket access via seccomp/AppArmor/SELinux.
• The vulnerability affects multi-tenant servers, Kubernetes containers, CI/CD pipelines, and even Windows WSL2.
• CopyFail is the same class of primitive as Dirty Pipe and Dirty Cow, both previously exploited in the wild.