Critical Linux Vulnerability 'Copy Fail' Grants Root Access Across Major Distros

Critical Linux Vulnerability 'Copy Fail' Grants Root Access Across Major Distros

First seen 30 Apr 2026, 03:07 UTC News.YcombinatorXintRedditTheregisterCybersecuritynews+117 86% similarity 72.9

Article Content

Browse articles
ThreatCluster

A newly disclosed vulnerability in the Linux kernel, tracked as CVE-2026-31431 and named 'Copy Fail', allows unprivileged local users to gain root access on virtually all major Linux distributions released since 2017. The exploit, which is a 732-byte Python script, modifies the page cache of any readable file without altering the on-disk version, making it stealthy and difficult to detect. Discovered by Theori researcher Taeyang Lee using AI-assisted tools, the flaw stems from a logic error in the kernel's cryptographic subsystem, specifically within the algif_aead module. Patches were made available on April 1, 2026, following the initial disclosure on March 23, 2026, with public proof-of-concept released on April 30, 2026. The vulnerability poses a significant risk, especially in multi-tenant environments like cloud services and Kubernetes, where it can enable container escapes. Security teams are urged to apply patches immediately to mitigate risks associated with this critical flaw.

Key Points: • CVE-2026-31431 allows local users to gain root access on Linux systems since 2017. • The exploit is a 732-byte Python script that modifies the page cache without altering the disk file. • Patches are available, and immediate updates are recommended for affected distributions.

ThreatCluster AI

Timeline

2016-10-21
First public exploit for CVE-2016-5195 released
2022-03-07
CVE-2022-0847 published
2026-03-23
Vulnerability reported to Linux kernel security team
2026-04-01
Mainline patch committed to fix the vulnerability
2026-04-22
CVE-2026-31431 assigned
2026-04-30
Public proof-of-concept exploit released

Community

Browse all →