Back

Critical Linux Vulnerability 'Copy Fail' Grants Root Access Across Major Distros

Severity: High (Score: 72.9)

Sources: www.sentinelone.com, Reddit, News.Ycombinator, Gbhackers, Xint

Summary

A newly disclosed vulnerability in the Linux kernel, tracked as CVE-2026-31431 and named 'Copy Fail', allows unprivileged local users to gain root access on virtually all major Linux distributions released since 2017. The exploit, which is a 732-byte Python script, modifies the page cache of any readable file without altering the on-disk version, making it stealthy and difficult to detect. Discovered by Theori researcher Taeyang Lee using AI-assisted tools, the flaw stems from a logic error in the kernel's cryptographic subsystem, specifically within the algif_aead module. Patches were made available on April 1, 2026, following the initial disclosure on March 23, 2026, with public proof-of-concept released on April 30, 2026. The vulnerability poses a significant risk, especially in multi-tenant environments like cloud services and Kubernetes, where it can enable container escapes. Security teams are urged to apply patches immediately to mitigate risks associated with this critical flaw. Key Points: • CVE-2026-31431 allows local users to gain root access on Linux systems since 2017. • The exploit is a 732-byte Python script that modifies the page cache without altering the disk file. • Patches are available, and immediate updates are recommended for affected distributions.

Key Entities

  • Privilege Escalation (attack_type)
  • Zero-day Exploit (attack_type)
  • Internet Bug Bounty (ibb) Program (company)
  • Microsoft (company)
  • Theori (company)
  • Trend Micro (company)
  • Debian (company)
  • India (country)
  • CVE-2016-5195 (cve)
  • CVE-2022-0847 (cve)
  • CVE-2026-31431 (cve)
  • CWE-120 - Classic Buffer Overflow (cwe)
  • CWE-269 - Improper Privilege Management (cwe)
  • Cwe-787 - Out-of-bounds Write (cwe)
  • bwautoworld.com (domain)
  • T1059.006 - Python (mitre_attack)
  • T1068 - Exploitation for Privilege Escalation (mitre_attack)
  • Alma (platform)
  • Amazon Linux (platform)
  • Amazon Linux 2023 (platform)
  • Arch (platform)
  • Kubernetes (platform)
  • Docker (tool)
  • Copy_fail_exp.py (tool)
  • GitHub Actions (tool)
  • Python (tool)
  • Xint Code (tool)
  • Copy Fail (vulnerability)
  • CopyFail (vulnerability)
  • Dirty Cow (vulnerability)
  • Dirty Pipe (vulnerability)
  • Pack2TheRoot (vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed