Copy Fail: New Linux Kernel Bug Allows Root Access via 732-Byte Exploit

Severity: High (Score: 72.0)

Sources: Xint, Theregister, security-tracker.debian.org, ubuntu.com, Reddit

Summary

A newly discovered Linux kernel vulnerability, Copy Fail (CVE-2026-31431), enables unprivileged local users to gain root access using a simple 732-byte Python script. This exploit targets the Linux kernel's authencesn cryptographic template, allowing for a deterministic write into the page cache of any readable file. The attack is stealthy, as it modifies the in-memory page cache without altering the on-disk file, evading standard integrity checks. It affects all major Linux distributions released since 2017, including Ubuntu, RHEL, and SUSE. The exploit is particularly concerning because it can cross container boundaries, making it a potential Kubernetes node compromise vector. The vulnerability was published on April 22, 2026, and security experts are urging immediate patching to mitigate risks. This finding was aided by AI and initiated by researcher Taeyang Lee from Theori. A second part of the report will address its implications for container security. Key Points: • Copy Fail (CVE-2026-31431) allows local users to gain root access with a 732-byte script. • The exploit modifies the page cache without changing the on-disk file, evading integrity checks. • It affects all major Linux distributions since 2017 and can cross container boundaries.

Key Entities

• Zero-day Exploit (attack_type)
• CVE-2016-5195 (cve)
• CVE-2022-0847 (cve)
• CVE-2026-31431 (cve)
• CWE-269 - Improper Privilege Management (cwe)
• Cwe-787 - Out-of-bounds Write (cwe)
• T1059.006 - Python (mitre_attack)
• T1068 - Exploitation for Privilege Escalation (mitre_attack)
• Amazon Linux (platform)
• Kubernetes (platform)
• Linux (platform)
• RHEL (platform)
• SuSE (company)
• Ubuntu (company)
• Python (tool)
• Copy Fail (vulnerability)
• Dirty Cow (vulnerability)
• Dirty Pipe (vulnerability)