INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Copy Fail Exploit Vulnerability

| 2026-05-04 21:54 CRITICAL MEDIUM
JSON
Executive Summary AI-generated
The "Copy Fail" Linux security vulnerability, dubbed CVE-2026-31431 by its discoverer Theori, has been identified as a high-severity root-privilege escalation flaw in mainstream Linux kernel builds since 2017. This AI-powered penetration testing platform, Xint, discovered the local privilege-escalation bug and reported it to the Linux kernel security team on March 23. Prior patches issued by affected distributions had already mitigated the vulnerability, but Theori's proof-of-concept exploit has now made it possible for threat actors to root Linux systems with minimal effort.
Technical Mitigations AI-generated
* Theori researchers used AI to discover and initially disclose the vulnerability, which has since been patched by major Linux distributions. * The proof-of-concept exploit was shared with the Linux kernel security team on March 23, but not publicly disclosed until April 28. * Researchers have yet to determine how many organizations have been impacted by the flaw due to its broad potential impact and lack of technical details in the initial disclosure.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2022-0847CVE-2022-0847 CVE-2026-31431CVE-2026-31431 CVE-2026-41651CVE-2026-41651
Target & Sectors
Global Scope
Incident Timeline
‎between 2017
Threat actors exploited a copy fail exploit available Linux vulnerability in mainstream Linux distributions built between 2017 and the patch.
infrastructure Linux
"If your kernel was built between 2017 and the patch — which covers essentially every mainstream Linux distribution — you're in scope.
“If your kernel was built between 2017 and the patch — which covers essentially every mainstream Linux distribution — you’re in scope.”
‎August 2017
Threat actors exploited a previously unknown vulnerability in the Linux operating system that was introduced as part of a source code commit made on August 2017.
‎March 23
Threat actors exploited a local privilege-escalation vulnerability in the Linux kernel.
infrastructure Linux
Theori’s AI-powered penetration testing platform, Xint , discovered the local privilege-escalation flaw in a Linux kernel module and reported it to the Linux kernel security team March 23.
Theori reported the finding to the Linux kernel security team on March 23, and patches became available within a week.
organisation Theori
Theori reported the finding to the Linux kernel security team on March 23, and patches became available within a week.
‎April 1st
Threat actors exploited a previously unknown Linux vulnerability, CVE-2026-31431.
infrastructure Linux
CVE-2026-31431 was fixed upstream on April 1st by reverting the problematic “in-place” crypto behavior introduced in the Linux kernel version 4.14 in 2017.
vulnerability CVE-2026-31431
CVE-2026-31431 was fixed upstream on April 1st by reverting the problematic “in-place” crypto behavior introduced in the Linux kernel version 4.14 in 2017.
infrastructure 4.14
CVE-2026-31431 was fixed upstream on April 1st by reverting the problematic “in-place” crypto behavior introduced in the Linux kernel version 4.14 in 2017.
general_metric 4.14 version
CVE-2026-31431 was fixed upstream on April 1st by reverting the problematic “in-place” crypto behavior introduced in the Linux kernel version 4.14 in 2017.
‎2026/04/04
Threat actors exploited a high-severity root-privilege escalation vulnerability in Linux distros, specifically targeting the PackageKit daemon.
tactic Privilege Escalation
Earlier last month,  Linux distros patched  another high-severity root-privilege escalation vulnerability (tracked as  CVE-2026-41651  and dubbed Pack2TheRoot) that had persisted for more than a decade in the PackageKit daemon.
infrastructure Linux
Earlier last month,  Linux distros patched  another high-severity root-privilege escalation vulnerability (tracked as  CVE-2026-41651  and dubbed Pack2TheRoot) that had persisted for more than a decade in the PackageKit daemon.
vulnerability CVE-2026-41651
Earlier last month,  Linux distros patched  another high-severity root-privilege escalation vulnerability (tracked as  CVE-2026-41651  and dubbed Pack2TheRoot) that had persisted for more than a decade in the PackageKit daemon.
organisation PackageKit
Earlier last month,  Linux distros patched  another high-severity root-privilege escalation vulnerability (tracked as  CVE-2026-41651  and dubbed Pack2TheRoot) that had persisted for more than a decade in the PackageKit daemon.
‎April 29, 2026
Threat actors exploited the CVE-2026-31431 Linux vulnerability.
vulnerability CVE-2026-31431
On April 29, 2026, details about the ‘ Copy Fail ’ vulnerability ( CVE-2026-31431 ) were publicly disclosed.
‎2026/04/29
Threat actors used a proof-of-concept exploit to target vulnerable systems.
‎Apr 30, 2026
Threat actors exploited a known Linux vulnerability to gain unauthorized access.
‎2026/05/04
The threat actors used a Copy Fail exploit available Linux vulnerability to target major distributions including Ubuntu, RHEL, SUSE, and Amazon Linux.
infrastructure Linux
“Copy Fail allows for trivial privilege escalation on most desktop and server Linux distributions.
This high-severity (CVSS score of 7.8) privilege escalation vulnerability impacts Linux distributions shipped since 2017.
An exploit has been published for a local privilege escalation vulnerability dubbed “Copy Fail” that impacts Linux kernels released since 2017, allowing an unprivileged local attacker to gain root permissions.
They demonstrated and confirmed the Copy Fail exploit on Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16: Getting root shell on four Linux distributions Source: Xint Code Copy Fail is characterized as being closer to the ‘ Dirty Pipe ’ vulnerability than typical local privilege escalation flaws, is more reliable (claimed 100% success), and is more broadly exploitable than most bugs in this class.
 Ravie Lakshmanan  Apr 30, 2026 Linux / Vulnerability Cybersecurity researchers have disclosed details of a Linux local privilege escalation (LPE) flaw that could allow an unprivileged local user to obtain root.
‘Copy Fail’ is a real Linux security crisis wrapped in AI slop.
Attackers are actively exploiting a Linux vulnerability in the wild, and researchers warn that the fallout could be broad — anyone with authenticated local access can leverage it to gain total control of a system.
Theori dubbed the high-severity vulnerability “Copy Fail” with a vanity domain containing AI-generated content, and warned that every mainstream Linux kernel built since 2017 is in scope of potential exploitation resulting in root access.
Major Linux distributions affected by the vulnerability had issued patches prior to Theori’s disclosure, which it published alongside a proof-of-concept exploit.
CISA says ‘Copy Fail’ flaw now exploited to root Linux systems.
CISA has warned that threat actors have started exploiting the "Copy Fail" Linux security vulnerability in the wild, one day after Theori researchers disclosed it and shared a proof-of-concept (PoC) exploit.
Tracked as  CVE-2026-31431 , this security flaw was found in the Linux kernel's algif_aead cryptographic algorithm interface and enables unprivileged local users to gain root privileges on unpatched Linux systems by writing four controlled bytes to the page cache of any readable file.
Theori researchers disclosed it on Thursday  and shared what they described as a "100% reliable" Python-based exploit that can be used to root Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16 devices.
However, they also added that the same script can be used reliably against any Linux distribution shipped since 2017 with a vulnerable kernel version.
The same exploit binary works unmodified on every Linux distribution,"  Theori said .
" While major Linux distros began pushing the fix via kernel updates, Tharros' principal vulnerability analyst, Will Dormann,  noted on Thursday  that there were no "official updates" when Theori published its advisory.
Proof-of-concept exploit available for Linux 'Copy Fail' vulnerability (CVE-2026-31431).
It allows an unprivileged local user to obtain root-level access on affected Linux systems by corrupting the kernel’s in-memory page cache of a privileged binary.
Public proof-of-concept (PoC) exploit code has been released, and reports indicate the exploit is reliable across multiple major Linux distributions.
Given the breadth of affected systems and the trivially small exploit, organizations should prioritize patching, particularly for multi-tenant Linux hosts and container platforms.
Recommended actions Counter Threat Unit™ (CTU) researchers recommend that organizations identify Linux systems running vulnerable kernel versions and apply appropriate vendor-issued kernel updates as soon as possible.
In environments where immediate patching is not feasible, administrators should review temporary mitigations recommended by their Linux distribution vendors and minimize exposure to untrusted local code execution.
In response to the disclosure, Linux distributions have released their own advisories: Sophos protections SophosLabs is monitoring this vulnerability and investigating detection and mitigation opportunities associated with exploitation activity.
New Linux ‘Copy Fail’ flaw gives hackers root on major distros.
The vulnerability is tracked as CVE-2026-31431 and was discovered by the offensive security company Theori, using its AI-driven pentesting platform Xint Code after scaning the Linux crypto/ sybsystem for about an hour.
Although the cybersecurity company developed and tested a "100% reliable" Python-based exploit for four Linux distributions (Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16), the researchers say that the 732-byte "script roots every Linux distribution shipped since 2017.
" Copy Fail root cause In a detailed write-up , the researchers say that the Copy Fail (CVE-2026-31431) issue "is a logic bug in the Linux kernel's authencesn cryptographic template" that allows an authenticated user to reliably perform a "4-byte write in to the page cache of any readable file on the system.
" By combining the ‘AF_ALG’ socket-based interface, which gives access to the Linux kernel crypto functions from user space, and the splice() system call, an unprivileged user can make a 4-byte controlled write in the page cache of a file, instead of a normal buffer.
The flaw was introduced in 2017, when the Linux kernel team added an “in-place” optimization to the crypto path, meaning it began reusing the same buffer rather than keeping input and output strictly separate.
Impact and fixes Theori's PoC is a consistently effective 732-byte exploit that gives root to every major Linux distribution that runs on a vulnerable Linux Kernel version, the researchers say.
According to the researchers, major Linux distributions are already pushing the fix via kernel updates.
As an interim mitigation for those who haven’t received the updates yet, the researchers recommend disabling the vulnerable crypto interface, which would block AF_ALG socket creation, or disabling the algif_aead module: echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf rmmod algif_aead Theori researchers suggest treating multi-tenant Linux hosts, Kubernetes/container clusters, CI runners/build farms, and cloud SaaS running user code as a priority in the patching effort.
New Linux 'Copy Fail' Vulnerability Enables Root Access on Major Distributions.
"An unprivileged local user can write four controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root," the vulnerability research team at Xint.io and Theori said .
At its core, the vulnerability stems from a logic flaw in the Linux kernel's cryptographic subsystem, specifically within the algif_aead module.
Successful exploitation of the shortcoming could allow a simple 732-byte Python script to edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017, including Amazon Linux, RHEL, SUSE, and Ubuntu.
In response to the disclosure, Linux distributions have released their own advisories - Copy Fail has its echoes in Dirty Pipe (CVE-2022-0847), another Linux kernel LPE vulnerability that could permit unprivileged users to splice data into the page cache of read-only files and ultimately overwrite sensitive files on the system to achieve code execution.
It also allows them to bypass sandboxing and works across all Linux versions and distributions."
Copy Fail: New Linux bug enables Root via page‑cache corruption.
Copy Fail: New Linux bug enables Root via page‑cache corruption Linux flaw CVE‑2026‑31431, ‘Copy Fail,’ lets any local user write four bytes into page cache files, enabling easy escalation to root on major distros.
Xint Code researchers warn of a serious Linux flaw, tracked as CVE-2026-31431 (CVSS score of 7.8), dubbed Copy Fail.
The issue affects major distributions like Ubuntu, RHEL, SUSE, and Amazon Linux, and can even cross container boundaries due to shared page cache.
“ Copy Fail  (CVE-2026- 31431 ) is a logic bug in the Linux kernel’s authencesn cryptographic template.
“A single 732-byte Python script can edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017.
The exploit targets /usr/bin/su , a common setuid-root binary on Linux systems.
The researchers published a demo showing the same 732-byte exploit run on four Linux distributions, where a normal user (uid 1001) consistently gains root access.
Tested systems include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, covering kernel versions 6.12 to 6.18, all successfully compromised.
Follow me on Twitter:  @securityaffairs  and  Facebook  and  Mastodon Pierluigi Paganini ( SecurityAffairs  – hacking, Linux)
organisation Copy Fail
“Copy Fail allows for trivial privilege escalation on most desktop and server Linux distributions.
" Copy Fail root cause In a detailed write-up , the researchers say that the Copy Fail (CVE-2026-31431) issue "is a logic bug in the Linux kernel's authencesn cryptographic template" that allows an authenticated user to reliably perform a "4-byte write in to the page cache of any readable file on the system.
Xint Code researchers warn of a serious Linux flaw, tracked as CVE-2026-31431 (CVSS score of 7.8), dubbed Copy Fail.
The high-severity vulnerability tracked as CVE-2026-31431 (CVSS score: 7.8) has been codenamed Copy Fail by Xint.io and Theori.
organisation Ubuntu 24.04
They demonstrated and confirmed the Copy Fail exploit on Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16: Getting root shell on four Linux distributions Source: Xint Code Copy Fail is characterized as being closer to the ‘ Dirty Pipe ’ vulnerability than typical local privilege escalation flaws, is more reliable (claimed 100% success), and is more broadly exploitable than most bugs in this class.
organisation Linux / Vulnerability Cybersecurity
 Ravie Lakshmanan  Apr 30, 2026 Linux / Vulnerability Cybersecurity researchers have disclosed details of a Linux local privilege escalation (LPE) flaw that could allow an unprivileged local user to obtain root.
organisation LPE
 Ravie Lakshmanan  Apr 30, 2026 Linux / Vulnerability Cybersecurity researchers have disclosed details of a Linux local privilege escalation (LPE) flaw that could allow an unprivileged local user to obtain root.
organisation Kubernetes
It works across major distros and architectures and forms the basis for both local privilege escalation and Kubernetes container escapes.
As an interim mitigation for those who haven’t received the updates yet, the researchers recommend disabling the vulnerable crypto interface, which would block AF_ALG socket creation, or disabling the algif_aead module: echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf rmmod algif_aead Theori researchers suggest treating multi-tenant Linux hosts, Kubernetes/container clusters, CI runners/build farms, and cloud SaaS running user code as a priority in the patching effort.
It also has implications for containerization including Kubernetes.”
organisation Theori
Theori researchers disclosed it on Thursday  and shared what they described as a "100% reliable" Python-based exploit that can be used to root Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16 devices.
Theori, the company that discovered the bug, leaned heavily on AI to find and initially disclose it.
organisation Amazon Linux 2023
Theori researchers disclosed it on Thursday  and shared what they described as a "100% reliable" Python-based exploit that can be used to root Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16 devices.
Although the cybersecurity company developed and tested a "100% reliable" Python-based exploit for four Linux distributions (Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16), the researchers say that the 732-byte "script roots every Linux distribution shipped since 2017.
Tested systems include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, covering kernel versions 6.12 to 6.18, all successfully compromised.
infrastructure 16 devices
Theori researchers disclosed it on Thursday  and shared what they described as a "100% reliable" Python-based exploit that can be used to root Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16 devices.
organisation Tharros
" While major Linux distros began pushing the fix via kernel updates, Tharros' principal vulnerability analyst, Will Dormann,  noted on Thursday  that there were no "official updates" when Theori published its advisory.
However, Tharros' principal vulnerability analyst, Will Dormann, notes that there are no "official updates for CVE-2026-31431.
organisation CVE-2026-31431
Proof-of-concept exploit available for Linux 'Copy Fail' vulnerability (CVE-2026-31431).
The vulnerability is tracked as CVE-2026-31431 and was discovered by the offensive security company Theori, using its AI-driven pentesting platform Xint Code after scaning the Linux crypto/ sybsystem for about an hour.
Xint Code researchers warn of a serious Linux flaw, tracked as CVE-2026-31431 (CVSS score of 7.8), dubbed Copy Fail.
The high-severity vulnerability tracked as CVE-2026-31431 (CVSS score: 7.8) has been codenamed Copy Fail by Xint.io and Theori.
The Cybersecurity and Infrastructure Security Agency added CVE-2026-31431 to its known exploited vulnerabilities catalog Friday.
organisation PoC
Public proof-of-concept (PoC) exploit code has been released, and reports indicate the exploit is reliable across multiple major Linux distributions.
Impact and fixes Theori's PoC is a consistently effective 732-byte exploit that gives root to every major Linux distribution that runs on a vulnerable Linux Kernel version, the researchers say.
The researchers published a PoC to allow defenders to verify their own systems and validate vendor patches.
organisation Counter Threat Unit
Recommended actions Counter Threat Unit™ (CTU) researchers recommend that organizations identify Linux systems running vulnerable kernel versions and apply appropriate vendor-issued kernel updates as soon as possible.
organisation SophosLabs
In response to the disclosure, Linux distributions have released their own advisories: Sophos protections SophosLabs is monitoring this vulnerability and investigating detection and mitigation opportunities associated with exploitation activity.
data_breach 732 byte
Although the cybersecurity company developed and tested a "100% reliable" Python-based exploit for four Linux distributions (Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16), the researchers say that the 732-byte "script roots every Linux distribution shipped since 2017.
Impact and fixes Theori's PoC is a consistently effective 732-byte exploit that gives root to every major Linux distribution that runs on a vulnerable Linux Kernel version, the researchers say.
Successful exploitation of the shortcoming could allow a simple 732-byte Python script to edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017, including Amazon Linux, RHEL, SUSE, and Ubuntu.
“A single 732-byte Python script can edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017.
The researchers published a demo showing the same 732-byte exploit run on four Linux distributions, where a normal user (uid 1001) consistently gains root access.
A 732-byte script can modify a setuid binary in memory, without changing the file on disk, making detection difficult.
organisation the Copy Fail
" Copy Fail root cause In a detailed write-up , the researchers say that the Copy Fail (CVE-2026-31431) issue "is a logic bug in the Linux kernel's authencesn cryptographic template" that allows an authenticated user to reliably perform a "4-byte write in to the page cache of any readable file on the system.
data_breach 4 byte
" Copy Fail root cause In a detailed write-up , the researchers say that the Copy Fail (CVE-2026-31431) issue "is a logic bug in the Linux kernel's authencesn cryptographic template" that allows an authenticated user to reliably perform a "4-byte write in to the page cache of any readable file on the system.
" By combining the ‘AF_ALG’ socket-based interface, which gives access to the Linux kernel crypto functions from user space, and the splice() system call, an unprivileged user can make a 4-byte controlled write in the page cache of a file, instead of a normal buffer.
If those 4 bytes hit a setuid-root binary, they can alter its behavior when executed, giving the attacker root privileges.
Next, the attacker prepares each 4-byte write.
The AAD carries the exact 4-byte value to inject, while splice() maps page cache pages from the target file into the crypto operation.
The bug combines AF_ALG and splice() to write 4 bytes into the page cache of any readable file.
It lets an unprivileged local user trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system.”
The authencesn algorithm breaks expectations: it uses the output buffer as scratch space and writes 4 bytes past the allowed boundary.
The kernel reads AAD data, performs the authencesn scratch write, and copies 4 bytes into the page cache of the target binary.
organisation CI
As an interim mitigation for those who haven’t received the updates yet, the researchers recommend disabling the vulnerable crypto interface, which would block AF_ALG socket creation, or disabling the algif_aead module: echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf rmmod algif_aead Theori researchers suggest treating multi-tenant Linux hosts, Kubernetes/container clusters, CI runners/build farms, and cloud SaaS running user code as a priority in the patching effort.
organisation New Linux '
New Linux 'Copy Fail' Vulnerability Enables Root Access on Major Distributions.
organisation Copy Fail'
New Linux 'Copy Fail' Vulnerability Enables Root Access on Major Distributions.
organisation Vulnerability Enables Root Access
New Linux 'Copy Fail' Vulnerability Enables Root Access on Major Distributions.
organisation Amazon Linux
Successful exploitation of the shortcoming could allow a simple 732-byte Python script to edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017, including Amazon Linux, RHEL, SUSE, and Ubuntu.
The issue affects major distributions like Ubuntu, RHEL, SUSE, and Amazon Linux, and can even cross container boundaries due to shared page cache.
organisation SUSE
Successful exploitation of the shortcoming could allow a simple 732-byte Python script to edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017, including Amazon Linux, RHEL, SUSE, and Ubuntu.
The issue affects major distributions like Ubuntu, RHEL, SUSE, and Amazon Linux, and can even cross container boundaries due to shared page cache.
organisation Dirty Pipe
In response to the disclosure, Linux distributions have released their own advisories - Copy Fail has its echoes in Dirty Pipe (CVE-2022-0847), another Linux kernel LPE vulnerability that could permit unprivileged users to splice data into the page cache of read-only files and ultimately overwrite sensitive files on the system to achieve code execution.
Even when compared to Dirty Pipe, Copy Fail is deemed more practical.
organisation CVE-2022-0847
In response to the disclosure, Linux distributions have released their own advisories - Copy Fail has its echoes in Dirty Pipe (CVE-2022-0847), another Linux kernel LPE vulnerability that could permit unprivileged users to splice data into the page cache of read-only files and ultimately overwrite sensitive files on the system to achieve code execution.
infrastructure 0847 Dirty Pipe
In response to the disclosure, Linux distributions have released their own advisories - Copy Fail has its echoes in Dirty Pipe (CVE-2022-0847), another Linux kernel LPE vulnerability that could permit unprivileged users to splice data into the page cache of read-only files and ultimately overwrite sensitive files on the system to achieve code execution.
organisation Copy Fail:
Copy Fail: New Linux bug enables Root via page‑cache corruption.
organisation CVE‑2026‑31431
Copy Fail: New Linux bug enables Root via page‑cache corruption Linux flaw CVE‑2026‑31431, ‘Copy Fail,’ lets any local user write four bytes into page cache files, enabling easy escalation to root on major distros.
infrastructure 24.04
Tested systems include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, covering kernel versions 6.12 to 6.18, all successfully compromised.
infrastructure 10.1
Tested systems include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, covering kernel versions 6.12 to 6.18, all successfully compromised.
infrastructure 6.12
Tested systems include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, covering kernel versions 6.12 to 6.18, all successfully compromised.
infrastructure 6.18
Tested systems include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, covering kernel versions 6.12 to 6.18, all successfully compromised.
organisation Ubuntu 24.04 LTS
Tested systems include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, covering kernel versions 6.12 to 6.18, all successfully compromised.
organisation SecurityAffairs
Follow me on Twitter:  @securityaffairs  and  Facebook  and  Mastodon Pierluigi Paganini ( SecurityAffairs  – hacking, Linux)
organisation Xint.io
The high-severity vulnerability tracked as CVE-2026-31431 (CVSS score: 7.8) has been codenamed Copy Fail by Xint.io and Theori.
organisation CyberScoop
“The attacker would need to have already established a foothold on the target system either through some means of legitimate access or another exploit,” Spencer McIntyre, secure researcher at Rapid7, told CyberScoop.
organisation AI FUD
“The exploit is real, there is something to worry about, but understandably, teams now have to do additional validation to know how to parse the extreme AI FUD (fear, uncertainty and doubt) from [Theori’s] blog post,” Caitlin Condon, vice president of security research at VulnCheck, told CyberScoop.
organisation AI PoC
Many new PoCs are simply ports of the original AI PoC to a different programming language,” Condon said.
organisation Condon
Many new PoCs are simply ports of the original AI PoC to a different programming language,” Condon said.
organisation Becker
Becker said Theori is aware of the burden defenders confront, and insists the company’s reports contain enough information for organizations to quickly triage and validate its findings.
organisation BOD
"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
organisation Sophos
Sophos analysts are exploring threat hunting opportunities to identify potentially impacted customers and have evaluated if Sophos products are affected by this issue.
organisation Next
Next, the attacker prepares each 4-byte write.
organisation AAD
The AAD carries the exact 4-byte value to inject, while splice() maps page cache pages from the target file into the crypto operation.
infrastructure 6.18.22
The fixes were made available in versions 6.18.22, 6.19.12, and 7.0 .
infrastructure 6.19.12
The fixes were made available in versions 6.18.22, 6.19.12, and 7.0 .
infrastructure 7.0
The fixes were made available in versions 6.18.22, 6.19.12, and 7.0 .
organisation Call execve("/usr/bin/su
Construct the shellcode payload Trigger the write operation to the kernel's cached copy of "/usr/bin/su" Call execve("/usr/bin/su") to load the injected shellcode and run it as root While the vulnerability is not remotely exploitable in isolation, a local unprivileged user can get root simply by corrupting the page cache of a setuid binary.
organisation AEAD
"The 2017 in-place optimization in algif_aead allows a page-cache page to end up in the kernel’s writable destination scatterlist for an AEAD operation submitted over an AF_ALG socket.
organisation The Hacker News
"This vulnerability is unique because it has four properties that almost never appear together: it's portable, tiny, stealthy, and cross-container," a Xint.io spokesperson told The Hacker News in a statement.
organisation page‑cache
“ Copy Fail exploits a kernel logic flaw where corrupted page‑cache data is never marked dirty, leaving disk files unchanged while the in‑memory version is silently altered.
organisation crypto‑subsystem
The bug, surfaced through AI‑assisted analysis of crypto‑subsystem behavior, is portable, tiny, race‑free, and stealthy, unlike Dirty Cow or Dirty Pipe .
organisation HMAC
The HMAC fails, but the corrupted memory remains.
organisation execve("/usr/bin/su
Finally, the attacker runs execve("/usr/bin/su") .
organisation API
The kernel crypto API ( AF_ALG ) ships enabled in essentially every mainstream distro’s default config, so the entire 2017 → patch window is in play out of the box.”
‎May 12
Threat actors exploited a Linux vulnerability at the Autonomous Validation Summit on May 12.
organisation the Autonomous Validation Summit
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.
general_metric 14 May
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.
‎May 15
Threat actors exploited the Copy Fail security flaw to gain root shell access on four Linux distros.
infrastructure Linux
Getting root shell on four Linux distros (Theori) On Friday, CISA  added  the Copy Fail security flaw to its  Known Exploited Vulnerabilities (KEV) Catalog , ordering Federal Civilian Executive Branch (FCEB) agencies to patch their Linux endpoints and servers within two weeks, by May 15, as mandated by  Binding Operational Directive (BOD) 22-01 .
attribution CISA
Getting root shell on four Linux distros (Theori) On Friday, CISA  added  the Copy Fail security flaw to its  Known Exploited Vulnerabilities (KEV) Catalog , ordering Federal Civilian Executive Branch (FCEB) agencies to patch their Linux endpoints and servers within two weeks, by May 15, as mandated by  Binding Operational Directive (BOD) 22-01 .
attribution Copy Fail
Getting root shell on four Linux distros (Theori) On Friday, CISA  added  the Copy Fail security flaw to its  Known Exploited Vulnerabilities (KEV) Catalog , ordering Federal Civilian Executive Branch (FCEB) agencies to patch their Linux endpoints and servers within two weeks, by May 15, as mandated by  Binding Operational Directive (BOD) 22-01 .
attribution Known Exploited
Getting root shell on four Linux distros (Theori) On Friday, CISA  added  the Copy Fail security flaw to its  Known Exploited Vulnerabilities (KEV) Catalog , ordering Federal Civilian Executive Branch (FCEB) agencies to patch their Linux endpoints and servers within two weeks, by May 15, as mandated by  Binding Operational Directive (BOD) 22-01 .
tactic T1588.006 - Vulnerabilities
Getting root shell on four Linux distros (Theori) On Friday, CISA  added  the Copy Fail security flaw to its  Known Exploited Vulnerabilities (KEV) Catalog , ordering Federal Civilian Executive Branch (FCEB) agencies to patch their Linux endpoints and servers within two weeks, by May 15, as mandated by  Binding Operational Directive (BOD) 22-01 .
attribution KEV
Getting root shell on four Linux distros (Theori) On Friday, CISA  added  the Copy Fail security flaw to its  Known Exploited Vulnerabilities (KEV) Catalog , ordering Federal Civilian Executive Branch (FCEB) agencies to patch their Linux endpoints and servers within two weeks, by May 15, as mandated by  Binding Operational Directive (BOD) 22-01 .
attribution Federal Civilian Executive Branch
Getting root shell on four Linux distros (Theori) On Friday, CISA  added  the Copy Fail security flaw to its  Known Exploited Vulnerabilities (KEV) Catalog , ordering Federal Civilian Executive Branch (FCEB) agencies to patch their Linux endpoints and servers within two weeks, by May 15, as mandated by  Binding Operational Directive (BOD) 22-01 .
attribution FCEB
Getting root shell on four Linux distros (Theori) On Friday, CISA  added  the Copy Fail security flaw to its  Known Exploited Vulnerabilities (KEV) Catalog , ordering Federal Civilian Executive Branch (FCEB) agencies to patch their Linux endpoints and servers within two weeks, by May 15, as mandated by  Binding Operational Directive (BOD) 22-01 .
Tactical Metrics
Metrics
infrastructure
‎Linux
Affected Product
“Copy Fail allows for trivial privilege escalation on most desktop and server Linux distributions.
‘Copy Fail’ is a real Linux security crisis wrapped in AI slop.
Attackers are actively exploiting a Linux vulnerability in the wild, and researchers warn that the fallout could be broad — anyone with authenticated local access can leverage it to gain total control of a system.
Theori dubbed the high-severity vulnerability “Copy Fail” with a vanity domain containing AI-generated content, and warned that every mainstream Linux kernel built since 2017 is in scope of potential exploitation resulting in root access.
Theori’s AI-powered penetration testing platform, Xint , discovered the local privilege-escalation flaw in a Linux kernel module and reported it to the Linux kernel security team March 23.
Major Linux distributions affected by the vulnerability had issued patches prior to Theori’s disclosure, which it published alongside a proof-of-concept exploit.
Earlier last month,  Linux distros patched  another high-severity root-privilege escalation vulnerability (tracked as  CVE-2026-41651  and dubbed Pack2TheRoot) that had persisted for more than a decade in the PackageKit daemon.
CISA says ‘Copy Fail’ flaw now exploited to root Linux systems.
CISA has warned that threat actors have started exploiting the "Copy Fail" Linux security vulnerability in the wild, one day after Theori researchers disclosed it and shared a proof-of-concept (PoC) exploit.
Tracked as  CVE-2026-31431 , this security flaw was found in the Linux kernel's algif_aead cryptographic algorithm interface and enables unprivileged local users to gain root privileges on unpatched Linux systems by writing four controlled bytes to the page cache of any readable file.
Theori researchers disclosed it on Thursday  and shared what they described as a "100% reliable" Python-based exploit that can be used to root Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16 devices.
However, they also added that the same script can be used reliably against any Linux distribution shipped since 2017 with a vulnerable kernel version.
The same exploit binary works unmodified on every Linux distribution,"  Theori said .
"If your kernel was built between 2017 and the patch — which covers essentially every mainstream Linux distribution — you're in scope.
" While major Linux distros began pushing the fix via kernel updates, Tharros' principal vulnerability analyst, Will Dormann,  noted on Thursday  that there were no "official updates" when Theori published its advisory.
Getting root shell on four Linux distros (Theori) On Friday, CISA  added  the Copy Fail security flaw to its  Known Exploited Vulnerabilities (KEV) Catalog , ordering Federal Civilian Executive Branch (FCEB) agencies to patch their Linux endpoints and servers within two weeks, by May 15, as mandated by  Binding Operational Directive (BOD) 22-01 .
This high-severity (CVSS score of 7.8) privilege escalation vulnerability impacts Linux distributions shipped since 2017.
Proof-of-concept exploit available for Linux 'Copy Fail' vulnerability (CVE-2026-31431).
It allows an unprivileged local user to obtain root-level access on affected Linux systems by corrupting the kernel’s in-memory page cache of a privileged binary.
Public proof-of-concept (PoC) exploit code has been released, and reports indicate the exploit is reliable across multiple major Linux distributions.
Given the breadth of affected systems and the trivially small exploit, organizations should prioritize patching, particularly for multi-tenant Linux hosts and container platforms.
Recommended actions Counter Threat Unit™ (CTU) researchers recommend that organizations identify Linux systems running vulnerable kernel versions and apply appropriate vendor-issued kernel updates as soon as possible.
In environments where immediate patching is not feasible, administrators should review temporary mitigations recommended by their Linux distribution vendors and minimize exposure to untrusted local code execution.
In response to the disclosure, Linux distributions have released their own advisories: Sophos protections SophosLabs is monitoring this vulnerability and investigating detection and mitigation opportunities associated with exploitation activity.
An exploit has been published for a local privilege escalation vulnerability dubbed “Copy Fail” that impacts Linux kernels released since 2017, allowing an unprivileged local attacker to gain root permissions.
They demonstrated and confirmed the Copy Fail exploit on Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16: Getting root shell on four Linux distributions Source: Xint Code Copy Fail is characterized as being closer to the ‘ Dirty Pipe ’ vulnerability than typical local privilege escalation flaws, is more reliable (claimed 100% success), and is more broadly exploitable than most bugs in this class.
New Linux ‘Copy Fail’ flaw gives hackers root on major distros.
The vulnerability is tracked as CVE-2026-31431 and was discovered by the offensive security company Theori, using its AI-driven pentesting platform Xint Code after scaning the Linux crypto/ sybsystem for about an hour.
Theori reported the finding to the Linux kernel security team on March 23, and patches became available within a week.
Although the cybersecurity company developed and tested a "100% reliable" Python-based exploit for four Linux distributions (Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16), the researchers say that the 732-byte "script roots every Linux distribution shipped since 2017.
" Copy Fail root cause In a detailed write-up , the researchers say that the Copy Fail (CVE-2026-31431) issue "is a logic bug in the Linux kernel's authencesn cryptographic template" that allows an authenticated user to reliably perform a "4-byte write in to the page cache of any readable file on the system.
" By combining the ‘AF_ALG’ socket-based interface, which gives access to the Linux kernel crypto functions from user space, and the splice() system call, an unprivileged user can make a 4-byte controlled write in the page cache of a file, instead of a normal buffer.
The flaw was introduced in 2017, when the Linux kernel team added an “in-place” optimization to the crypto path, meaning it began reusing the same buffer rather than keeping input and output strictly separate.
Impact and fixes Theori's PoC is a consistently effective 732-byte exploit that gives root to every major Linux distribution that runs on a vulnerable Linux Kernel version, the researchers say.
CVE-2026-31431 was fixed upstream on April 1st by reverting the problematic “in-place” crypto behavior introduced in the Linux kernel version 4.14 in 2017.
According to the researchers, major Linux distributions are already pushing the fix via kernel updates.
As an interim mitigation for those who haven’t received the updates yet, the researchers recommend disabling the vulnerable crypto interface, which would block AF_ALG socket creation, or disabling the algif_aead module: echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf rmmod algif_aead Theori researchers suggest treating multi-tenant Linux hosts, Kubernetes/container clusters, CI runners/build farms, and cloud SaaS running user code as a priority in the patching effort.
 Ravie Lakshmanan  Apr 30, 2026 Linux / Vulnerability Cybersecurity researchers have disclosed details of a Linux local privilege escalation (LPE) flaw that could allow an unprivileged local user to obtain root.
New Linux 'Copy Fail' Vulnerability Enables Root Access on Major Distributions.
"An unprivileged local user can write four controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root," the vulnerability research team at Xint.io and Theori said .
At its core, the vulnerability stems from a logic flaw in the Linux kernel's cryptographic subsystem, specifically within the algif_aead module.
Successful exploitation of the shortcoming could allow a simple 732-byte Python script to edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017, including Amazon Linux, RHEL, SUSE, and Ubuntu.
In response to the disclosure, Linux distributions have released their own advisories - Copy Fail has its echoes in Dirty Pipe (CVE-2022-0847), another Linux kernel LPE vulnerability that could permit unprivileged users to splice data into the page cache of read-only files and ultimately overwrite sensitive files on the system to achieve code execution.
It also allows them to bypass sandboxing and works across all Linux versions and distributions."
Copy Fail: New Linux bug enables Root via page‑cache corruption.
Copy Fail: New Linux bug enables Root via page‑cache corruption Linux flaw CVE‑2026‑31431, ‘Copy Fail,’ lets any local user write four bytes into page cache files, enabling easy escalation to root on major distros.
Xint Code researchers warn of a serious Linux flaw, tracked as CVE-2026-31431 (CVSS score of 7.8), dubbed Copy Fail.
The issue affects major distributions like Ubuntu, RHEL, SUSE, and Amazon Linux, and can even cross container boundaries due to shared page cache.
“ Copy Fail  (CVE-2026- 31431 ) is a logic bug in the Linux kernel’s authencesn cryptographic template.
“A single 732-byte Python script can edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017.
The exploit targets /usr/bin/su , a common setuid-root binary on Linux systems.
The researchers published a demo showing the same 732-byte exploit run on four Linux distributions, where a normal user (uid 1001) consistently gains root access.
Tested systems include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, covering kernel versions 6.12 to 6.18, all successfully compromised.
“If your kernel was built between 2017 and the patch — which covers essentially every mainstream Linux distribution — you’re in scope.”
Follow me on Twitter:  @securityaffairs  and  Facebook  and  Mastodon Pierluigi Paganini ( SecurityAffairs  – hacking, Linux)
Metrics
infrastructure
16
Devices
Theori researchers disclosed it on Thursday  and shared what they described as a "100% reliable" Python-based exploit that can be used to root Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16 devices.
Metrics
data_breach
732
Byte
Although the cybersecurity company developed and tested a "100% reliable" Python-based exploit for four Linux distributions (Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16), the researchers say that the 732-byte "script roots every Linux distribution shipped since 2017.
Impact and fixes Theori's PoC is a consistently effective 732-byte exploit that gives root to every major Linux distribution that runs on a vulnerable Linux Kernel version, the researchers say.
Successful exploitation of the shortcoming could allow a simple 732-byte Python script to edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017, including Amazon Linux, RHEL, SUSE, and Ubuntu.
“A single 732-byte Python script can edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017.
The researchers published a demo showing the same 732-byte exploit run on four Linux distributions, where a normal user (uid 1001) consistently gains root access.
A 732-byte script can modify a setuid binary in memory, without changing the file on disk, making detection difficult.
Metrics
data_breach
4
Byte
" Copy Fail root cause In a detailed write-up , the researchers say that the Copy Fail (CVE-2026-31431) issue "is a logic bug in the Linux kernel's authencesn cryptographic template" that allows an authenticated user to reliably perform a "4-byte write in to the page cache of any readable file on the system.
" By combining the ‘AF_ALG’ socket-based interface, which gives access to the Linux kernel crypto functions from user space, and the splice() system call, an unprivileged user can make a 4-byte controlled write in the page cache of a file, instead of a normal buffer.
If those 4 bytes hit a setuid-root binary, they can alter its behavior when executed, giving the attacker root privileges.
Next, the attacker prepares each 4-byte write.
The AAD carries the exact 4-byte value to inject, while splice() maps page cache pages from the target file into the crypto operation.
The bug combines AF_ALG and splice() to write 4 bytes into the page cache of any readable file.
It lets an unprivileged local user trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system.”
The authencesn algorithm breaks expectations: it uses the output buffer as scratch space and writes 4 bytes past the allowed boundary.
The kernel reads AAD data, performs the authencesn scratch write, and copies 4 bytes into the page cache of the target binary.
Metrics
infrastructure
‎4.14
Software Version
CVE-2026-31431 was fixed upstream on April 1st by reverting the problematic “in-place” crypto behavior introduced in the Linux kernel version 4.14 in 2017.
Metrics
infrastructure
‎6.18.22
Software Version
The fixes were made available in versions 6.18.22, 6.19.12, and 7.0 .
Metrics
infrastructure
‎6.19.12
Software Version
The fixes were made available in versions 6.18.22, 6.19.12, and 7.0 .
Metrics
infrastructure
‎7.0
Software Version
The fixes were made available in versions 6.18.22, 6.19.12, and 7.0 .
Metrics
infrastructure
847
Dirty Pipe
In response to the disclosure, Linux distributions have released their own advisories - Copy Fail has its echoes in Dirty Pipe (CVE-2022-0847), another Linux kernel LPE vulnerability that could permit unprivileged users to splice data into the page cache of read-only files and ultimately overwrite sensitive files on the system to achieve code execution.
Metrics
infrastructure
‎24.04
Software Version
Tested systems include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, covering kernel versions 6.12 to 6.18, all successfully compromised.
Metrics
infrastructure
‎10.1
Software Version
Tested systems include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, covering kernel versions 6.12 to 6.18, all successfully compromised.
Metrics
infrastructure
‎6.12
Software Version
Tested systems include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, covering kernel versions 6.12 to 6.18, all successfully compromised.
Metrics
infrastructure
‎6.18
Software Version
Tested systems include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, covering kernel versions 6.12 to 6.18, all successfully compromised.
Intelligence Sources
BleepingComputer 2026-04-30
The Hacker News 2026-04-30
Security Affairs 2026-04-30
Sophos News 2026-05-01
CyberScoop 2026-05-04
BleepingComputer 2026-05-04