A high-severity vulnerability lurking in the Linux kernel since 2017 has been publicly disclosed, and it allows an unprivileged local user to gain full root access on virtually every major Linux distribution. Researchers have named the flaw 'Copy Fail', and it is drawing immediate comparisons to some of the most notorious Linux security bugs in recent memory.
What is the vulnerability?
Tracked as CVE-2026-31431 with a CVSS score of 7.8, Copy Fail was uncovered and named by researchers at Xint.io and Theori. The flaw allows an unprivileged local user to write four controlled bytes into the page cache of any readable file on a Linux system, which can then be leveraged to obtain root privileges.
At its core, the bug stems from a logic flaw in the Linux kernel's cryptographic subsystem, specifically within the 'algif_aead' module, introduced via a source code commit made in August 2017.
How the attack works
Successful exploitation can be achieved with a 732-byte Python script that edits a setuid binary and obtains root on essentially all Linux distributions shipped since 2017, including Amazon Linux, RHEL, SUSE, and Ubuntu. The exploit follows four steps: opening an AF\_ALG socket, constructing a shellcode payload, triggering a write operation to the kernel's cached copy of `/usr/bin/su`, and then calling execve to load the injected shellcode and run it as root.
While the vulnerability is not remotely exploitable on its own, a local unprivileged user can gain root by corrupting the page cache of a setuid binary. The same technique also has cross-container implications, since the page cache is shared across all processes on a system.
Why it is particularly dangerous
What sets Copy Fail apart is that it can be reliably triggered without requiring any race condition or kernel offset, and the same exploit works uniformly across distributions.
Researchers at Xint.io described the flaw's unique combination of traits in stark terms. According to a spokesperson, the vulnerability is portable, tiny, stealthy, and cross-container, a combination that almost never appears together. It allows any user account, regardless of privilege level, to escalate to full administrator access and bypass sandboxing.
What to do now?
Major Linux distributions have responded swiftly to the disclosure by releasing their own security advisories and patches. Amazon Linux, Debian, Red Hat Enterprise Linux, SUSE, and Ubuntu have all published advisories for CVE-2026-31431. Users and administrators running any of these distributions are strongly advised to apply available kernel updates immediately, particularly on multi-user systems or environments where containers share a host kernel.
System administrators should treat this as a priority patch given the reliability and simplicity of the exploit. Applying the latest kernel updates from your distribution vendor is the primary remediation. Organisations running containerized workloads should pay special attention, since the shared page cache means the impact can extend across container boundaries on the same host.
