- Experts reveal “CopyFail” flaw affecting Linux distributions
- All Linux kernels released after 2017 are vulnerable
- Users urged to patch now or risk having their account taken over
Security experts have warned of a major new vulnerability affecting Linux kernels, urging users to patch and update without delay.
The critical privilege escalation flaw, discovered by Theori experts and dubbed “Copy Fail,” can grant root privileges on all major Linux distributions, with containerized environments being especially vulnerable.
All Linux kernels released after 2017 are vulnerable to the issue, which could allow an unprivileged local attacker to gain root permissions, but patches are now available for users to protect their systems.
Article continues below.
Update now
Registered as CVE-2026-31431, the exploit, which consists of just 732 bytes of Python code that roots Ubuntu, Amazon Linux, RHEL, and SUSE, is “a direct logical flaw” that does not require race conditions or kernel-specific offsets.
He added that the issue “is a logical bug in the Linux kernel’s cryptographic authentication template,” meaning that an authenticated user can reliably perform a “4-byte write to the page cache of any readable file on the system.”
beepcomputer notes that combining the ‘AF_ALG’ socket-based interface, which provides access to the cryptographic functions of the Linux kernel from user space, and the splice() system call, means that an unprivileged user can perform a controlled write of 4 bytes to a file’s page cache, instead of a normal buffer, and if those 4 bytes reach a setuid root binary, they can alter its behavior when it is executed, granting root privileges to the attacker.
Theori says he found the flaw using Xint Code, his AI-powered pentesting platform, which had been tasked with scanning Linux’s crypto/syb system for problems.
“Same script, four distributions, four root shells, in one shot. Same exploit binary works without modification on all Linux distributions,” their blog post explains.
Theori says he reported his finding to the Linux kernel security team on March 23, 2026, and that patches were available within a week. He also created a proof-of-concept exploit for the flaw, which he says is “100% reliable” on the major Linux distributions listed above.
“Copy Fail is not a story about a single bug or a team’s tools. It’s a fact that the cost of finding deep logical flaws may have decreased by something like an order of magnitude,” said David Brumley, Bugcrowd’s chief science and AI officer.
“If your threat model still considers kernel LPEs to be rare, you probably have weeks to update them, not years.”
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
