Copy Fail: Public PoC and Full Details Disclosed for the 732-Byte Linux Root Exploit (CVE-2026-31431)

Security researchers have unveiled a critical logic bug in the Linux kernel that allows an unprivileged user to seize complete control of a system with startling ease. Dubbed “Copy Fail” (CVE-2026-31431), the vulnerability exists in the kernel’s authencesn cryptographic template and affects virtually every major Linux distribution shipped since 2017.

The discovery, made by Theori researcher Taeyang Lee with the assistance of Xint Code, highlights a critical failure in how the Linux crypto subsystem handles page-cache-backed data.

At its core, Copy Fail is a logic error that allows a local, unprivileged user to trigger a “deterministic, controlled 4-byte write into the page cache of any readable file on the system”. While 4 bytes may seem insignificant, in the world of binary exploitation, it is more than enough to change the behavior of a system.

The most alarming aspect of this vulnerability is the simplicity of the attack. According to the report, “A single 732-byte Python script can edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017”.

By corrupting the page cache of a setuid binary—a file that runs with root privileges—an attacker can instantly escalate their permissions to the highest level. Because the page cache is shared across the host, this primitive also allows attackers to effortlessly “cross container boundaries,” making it a nightmare for Kubernetes and cloud environments.

Copy Fail is particularly dangerous because it leaves almost no trace for traditional security tools to find. Because the bug manipulates the page cache (the in-memory version of a file) rather than the file on disk, the underlying data remains unchanged.

“The kernel never marks the corrupted page dirty for writeback, so the file on disk remains unchanged and ordinary on-disk checksum comparisons miss the modification,” the report warns.

This means that security software scanning the hard drive for altered system files will report that everything is normal, even as the corrupted version in memory grants an attacker total control of the system.

In a move to ensure rapid patching and transparency, the full technical details of the vulnerability and the proof-of-concept (PoC) exploit code have been publicly disclosed. This disclosure includes the specific logic failure in algif_aead where the kernel failed to separate source and destination mappings, mistakenly operating in-place on protected data.

The fix involves reverting AF_ALG AEAD to “out-of-place operation,” which effectively prevents page cache pages from being included in writable scatterlists.

With the exploit code now in the wild, administrators should prioritize updating the system immediately.

Remediation Steps:

• Update the Kernel: Major distributions are already shipping fixes through their standard package managers.
• Immediate Mitigation: If you cannot reboot or patch immediately, researchers suggest using seccomp to block the creation of AF_ALG sockets, which are required for the exploit to function.