- Experts Reveal “CopyFail” Flaws Affecting Linux Distros
- All Linux kernels released after 2017 are vulnerable
- Users are encouraged to patch now or risk account takeover
Security experts have warned of a major new vulnerability affecting Linux kernels and are urging users to patch and upgrade without delay.
The critical privilege escalation flaw discovered by experts at Theori and dubbed “Copy Fail” can grant root privileges across all major Linux distributions, with container environments being particularly vulnerable.
All Linux kernels released after 2017 are vulnerable to the issue, which could allow an unprivileged local attacker to gain root permissions – but patches are available now so users can secure their systems.
The article continues below
Update now
Tracked as CVE-2026-31431, the exploit, which is just 732 bytes of Python code that roots Ubuntu, Amazon Linux, RHEL and SUSE, is “a linear logic flaw” that does not require race conditions or kernel-specific offsets.
It added the problem “is a logical flaw in the Linux kernel’s authencesn cryptographic template,” which means an authenticated user can reliably perform a “4-byte write to the page cache of any readable file on the system.”
Bleeping Computer notes that by combining the ‘AF_ALG’ socket-based interface, which provides access to the Linux kernel’s crypto functions from user space, and the splice() system call, it means that an unprivileged user can do a 4-byte controlled write to the page cache of a file, instead of a normal buffer – and if those 4 bytes can root its binary behavior when executed, when executed, attacks root privileges.
Theori says it found the flaw using Xint Code, its AI-powered pentesting platform tasked with scanning the Linux crypto/syb system for problems.
“Same script, four distributions, four root shells – in one go. The same exploit binary works unchanged on every Linux distribution,” its blog post explains.
Theori says it reported its finding to the Linux kernel security team on March 23, 2026, and patches became available within a week. It also created a proof-of-concept exploit of the flaw that it says is “100% reliable” across the major Linux distros listed above.
“Copy Fail is not a story about a single bug or about a team’s tool. It’s a data point that the cost of finding deep logic errors may have dropped by something like an order of magnitude,” noted David Brumley, Chief AI and Science Officer at Bugcrowd.
“If your threat model is still budgeting core LPEs as rare, you probably have weeks to update it—not years.”
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
