Active In-The-Wild Exploit: “Copy Fail” Grants Root Privileges on Millions of Linux Systems
Ddos 
The Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2026-31431 to its Known Exploited Vulnerabilities (KEV) Catalog following reports of active exploitation in the wild. Dubbed “Copy Fail,” this local privilege escalation vulnerability impacts Linux kernels released since 2017, allowing any unprivileged local user to seize total control of a system as root.
Discovered by offensive security firm Theori using their AI-driven platform, Xint Code, the flaw was uncovered after scanning the Linux crypto subsystem for just one hour. Theori reported the finding on March 23, and while upstream patches were available within a week, the public release of technical details and a “100% reliable” proof-of-concept (PoC) has raised the stakes for administrators globally.
At its core, Copy Fail is a logic bug residing in the kernel’s authencesn cryptographic template. It allows an authenticated user to perform a deterministic 4-byte write directly into the page cache of any readable file on the system.
By abusing the AF_ALG socket-based interface—which exposes kernel crypto functions to user space—alongside the splice() system call, an attacker can redirect a write operation away from a standard buffer and into the memory-cached version of a file. If those 4 bytes hit a setuid-root binary, they can alter its behavior when executed, giving the attacker root privileges.
Researchers have drawn comparisons to the infamous ‘Dirty Pipe’ vulnerability, but they argue that Copy Fail is far more dangerous. While Dirty Pipe was limited to specific kernel versions and required precise offsets, Copy Fail is described as a “straight-line” logic flaw that works universally across distributions without recompilation.
Key Comparison Points:
- Reliability: Theori claims a 100% success rate for their exploit.
- Portability: “One script, every distro, no offsets”.
- Scope: It covers the entire window of Linux history from 2017 to 2026.
- The Payload: The entire exploit is contained in a tiny 732-byte Python script.
The vulnerability was confirmed to work on major distributions including Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16.
The vulnerability was introduced in 2017 with Linux Kernel version 4.14. In an effort to optimize performance, the kernel team implemented an “in-place” optimization for the crypto path. Instead of keeping input and output buffers strictly separate, the system began reusing the same buffer, inadvertently creating the path for unauthorized memory writes.
The upstream fix, released on April 1st, 2026, simply reverts this problematic optimization to ensure buffer separation.
Federal Civilian Executive Branch (FCEB) agencies have been ordered to remediate this flaw by May 15, 2026. Because the page cache is shared across the host, this vulnerability is particularly lethal for virtualized and containerized environments.
Priority Patch Targets:
- Multi-tenant Linux hosts
- Kubernetes and container clusters
- CI runners and build farms
- Cloud SaaS platforms running user-submitted code
If an immediate kernel update is not possible, researchers recommend an interim mitigation by disabling the vulnerable algif_aead module:
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
