CopyFail Linux Flaw Gives Root Access With Single 732-Byte Script

Key facts

• CVE-2026-31431 (CVSS 7.8) affects Linux kernel versions since August 2017.
• Exploit is a 732-byte Python script that works unmodified on Ubuntu 22.04, Amazon Linux 2023, SUSE 15.6, and Debian 12.
• The flaw allows writing four controlled bytes into the page cache of any readable file.
• Theori disclosed the vulnerability on Wednesday, five weeks after private disclosure to the Linux kernel security team.
• Linux kernel patches were released in versions 7.0, 6.19.12, 6.18.12, 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254.
• As of disclosure, no major distribution had incorporated the fixes, creating a zero-day patch gap.
• CopyFail is similar to Dirty Pipe (2022) and Dirty Cow (2016) but requires no race condition and works across distributions.
• The vulnerability can be used to escape Kubernetes containers and compromise CI/CD pipelines.

A Single Script Compromises Every Major Linux Distribution

A critical local privilege escalation vulnerability in the Linux kernel, tracked as CVE-2026-31431 and dubbed CopyFail, has been publicly disclosed with working exploit code that grants root access on virtually all Linux distributions shipped since 2017. The flaw, which carries a CVSS score of 7.8, stems from a logic error in the kernel's cryptographic subsystem, specifically within the authencesn AEAD template used for IPsec extended sequence numbers. The exploit, a 732-byte Python script, can edit a setuid binary and obtain root privileges reliably across distributions including Ubuntu 22.04, Amazon Linux 2023, SUSE 15.6, and Debian 12. Unlike many kernel exploits that depend on race conditions or memory corruption—which often fail across different kernel versions or even on the same machine—CopyFail exploits a straight-line logic flaw, making it deterministic and universally applicable. "No race window, no kernel offset," researchers from Bugcrowd wrote, underscoring the exploit's reliability. The vulnerability allows an unprivileged user to write four controlled bytes into the page cache of any readable file, then execute that file with elevated privileges.

Theori Discloses Flaw Before Distributions Can Patch

The vulnerability was disclosed Wednesday evening by researchers from the security firm Theori, five weeks after they privately reported it to the Linux kernel security team. The kernel team responded by patching the flaw in versions 7.0, 6.19.12, 6.18.12, 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254. However, few Linux distributions had incorporated those fixes by the time the exploit was released, leaving systems exposed. "The org doing the disclosure… did an absolutely terrible job of vulnerability coordination," said Will Dormann, senior principal vulnerability analyst at Tharros Labs. "What is mind boggling to me is that in their writeup they both: A) list 4 affected vendors, and B) tell readers to apply vendor patches. But before firing away with the publication, they didn't bother to see if ANY of the vendors that they list ACTUALLY HAVE PATCHES. (None do)." Attempts to contact Theori representatives for comment were unsuccessful. The disclosure effectively created a zero-day patch gap, where exploit code is available before most distributions have released patches.

How CopyFail Works: A Logic Flaw in the Crypto API

The vulnerability originates from a source code commit made in August 2017 that introduced a logic flaw in the algif_aead module. The authencesn AEAD template, designed for IPsec extended sequence numbers, fails to properly copy data. Instead, it uses the caller's destination buffer as a scratch pad, writing four bytes past the legitimate output region and never restoring them. "The 'copy' of the AAD ESN bytes 'fails' to stay inside the destination buffer," Theori explained. This allows an unprivileged user to corrupt the page cache of a setuid binary. The kernel reads the page cache when loading a binary, so modifying the cached copy effectively alters the binary for execution—without triggering file system defenses like inotify. The exploit involves four steps: opening an AF_ALG socket bound to authencesn(hmac(sha256),cbc(aes)), constructing shellcode, triggering a write operation to the kernel's cached copy of "/usr/bin/su", and calling execve("/usr/bin/su") to run the injected shellcode as root.

Immediate Threats: Multi-Tenant Systems, Containers, and CI/CD

While the vulnerability is not remotely exploitable on its own, it poses severe risks when chained with other attack vectors such as a web remote code execution, malicious CI runner, or SSH compromise. The bug is of most immediate concern to users of multi-tenant Linux systems, shared-kernel containers, and CI runners that execute untrusted code. Because the page cache is shared across all processes on a system, the same primitive enables cross-container attacks. "Copy Fail is the same class of primitive, in a different subsystem," said Bugcrowd's David Brumley. "An unprivileged process can then drive splice into that socket and complete a small, targeted write into the page cache of a file it doesn't own." This makes CopyFail a potential container escape primitive that could affect Kubernetes nodes. An attacker who compromises a single container could leverage the flaw to break out and gain root on the host, then pivot to other systems.

Patches Begin to Arrive, but Many Systems Remain Vulnerable

In response to the disclosure, several Linux distributions have begun shipping patches. Arch Linux and RedHat Fedora are among those known to have patched the vulnerability. Debian, Ubuntu, and SUSE have also issued advisories and patches. However, at the time of writing, many distributions had not yet released fixes, leaving a window of exposure. The vulnerability has been present in the kernel since August 2017, meaning essentially all Linux distributions released in the past eight years are affected unless patched. The exploit's simplicity and reliability amplify the urgency for administrators to apply updates as soon as they become available. "'Local privilege escalation' sounds dry, so let me unpack it," researcher Jorijn Schrijvershof wrote. "It means: an attacker who already has some way to run code on the machine, even as the most boring unprivileged user, can promote themselves to root. From there they can read every file, install backdoors, watch every process, and pivot to other systems."

CopyFail Echoes Dirty Pipe and Dirty Cow, but Is More Dangerous

CopyFail joins a lineage of severe Linux local privilege escalation vulnerabilities that includes Dirty Pipe (CVE-2022-0847) from 2022 and Dirty Cow (CVE-2016-5195) from 2016. Both of those were actively exploited in the wild. However, CopyFail's finders claim it is more broadly applicable because it does not require winning a race condition and works across distributions without modification. "The most recent such Linux vulnerability was Dirty Pipe from 2022 and Dirty Cow in 2016," noted security experts. "Both of those vulnerabilities were actively exploited in the wild." The deterministic nature of CopyFail—stemming from a logic flaw rather than a race condition—makes it particularly dangerous, as attackers can reliably reproduce the exploit. One security expert described CopyFail as the "worst make-me-root vulnerabilities in the kernel in recent times," highlighting the severity of the flaw and the potential for widespread exploitation.

What Comes Next: A Race to Patch Before Exploitation

With exploit code publicly available and patches not yet universally deployed, the coming days are critical for system administrators. The vulnerability affects virtually all Linux distributions, including Amazon Linux, RHEL, SUSE, Ubuntu, and Debian. Organizations running multi-tenant servers, Kubernetes clusters, or CI/CD pipelines should prioritize patching. The Linux kernel security team has provided fixes, but the onus is now on distribution maintainers to backport and ship those patches. The disclosure timeline has drawn criticism from vulnerability analysts, who argue that Theori should have coordinated with distributors before releasing exploit code. As defenders scramble to mitigate the threat, the CopyFail vulnerability serves as a stark reminder of the risks inherent in the patch gap—the window between a fix being available and it being deployed. For now, the security community watches closely to see whether CopyFail will follow Dirty Pipe and Dirty Cow into active exploitation.

The bottom line

• CopyFail (CVE-2026-31431) is a local privilege escalation flaw in the Linux kernel's crypto API, present since August 2017.
• A single 732-byte Python script can reliably gain root on all major Linux distributions without modification.
• The vulnerability allows writing four controlled bytes into the page cache of any readable file, enabling privilege escalation.
• Exploit code was released before most distributions had patches, creating a zero-day patch gap.
• CopyFail poses immediate risks to multi-tenant systems, Kubernetes containers, and CI/CD pipelines.
• Patches are available from Arch Linux and Fedora; other distributions are rolling out fixes urgently.