A new high-severity Linux vulnerability has been disclosed, and it can allow attackers to gain full root access on affected systems. The flaw is tracked as CVE-2026-31431 and has been named “Copy Fail” by security researchers at Xint.io and Theori.
The issue affects the Linux kernel and allows an unprivileged local user to escalate privileges to root. It has a CVSS score of 7.8, which makes it a serious security concern for many systems.
According to the researchers, the vulnerability lets a local user write controlled data into the page cache of any readable file. This can then be used to gain full administrative access. In simple terms, even a low-level user account can take complete control of the system.
The root cause of the issue lies in a logic flaw inside the Linux kernel’s cryptographic subsystem. More specifically, it affects the algif_aead module. The flaw was introduced in a code change back in August 2017, which means the vulnerability has been present in Linux systems for several years.
Researchers demonstrated that the flaw can be exploited using a very small Python script of just 732 bytes. The exploit works by targeting a setuid binary such as “/usr/bin/su” and modifying its cached version in memory. Once modified, the attacker can execute it and gain root access.
The attack involves a few steps. First, the attacker opens a special socket and prepares a payload. Then, the exploit writes data into the kernel’s cached file. Finally, it executes the modified binary to run code as root.
Although the vulnerability cannot be exploited remotely on its own, it becomes dangerous in multi-user environments. Any local user with access to the system can use it to gain full privileges. It also has a cross-container impact because the page cache is shared across processes. This means containers are not fully isolated from this attack.
Major Linux distributions, including Amazon Linux, Debian, Red Hat Enterprise Linux, SUSE, and Ubuntu, have already released security advisories and patches.
Security experts have compared this vulnerability to the well-known Dirty Pipe flaw from 2022. Both issues allow attackers to manipulate the page cache and modify protected files. However, Copy Fail is considered more reliable because it does not require race conditions or complex timing.
Researchers also highlighted why this vulnerability stands out. It is portable, very small in size, stealthy, and works across different environments. The same exploit can run on multiple Linux distributions without major changes.
Related Posts
