Nine-year-old high-severity Linux bug discovered
Copy Fail flaw affects all mainstream Linux distributions
Security researchers have unearthed a high severity local privilege escalation bug that affects almost all Linux distributions and dates back to 2027.
The vulnerability has been named “Copy Fail” (CVE-2026-31431, CVSS 7.8, high severity) and was discovered by the Xint Code Research Team at bug bounty platform Theori.
Copy Fail is a logic flaw in the Linux kernel. It arose following an optimisation in 2017 which inadvertently blurred a safety boundary between read‑only file data and writable memory during cryptographic operations.
“It lets an unprivileged local user trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system,” the researchers write in a blog post.
“A single 732-byte Python script can edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017.”
Because the flaw lies deep in the kernel, virtually every Linux distribution is affected. Theori has already demonstrated successful exploitation on Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1 and SUSE 16.
So far, no in‑the‑wild exploitation has been reported, but shared tenancy instances, cloud SaaS applications running user code, Kubernetes clusters and CI runners are all vulnerable, the researchers say. Because exploitation leaves no on‑disk modification and disappears on reboot, successful abuse would be hard to detect retrospectively.
“Copy Fail requires only an unprivileged local user account - no network access, no kernel debugging features, no pre-installed primitives.”
The bug was disclosed in April, and Linux kernel maintainers have released fixes, which have made their way into most major distributions.
Admins are urged to upgrade kernels to Linux 7.0, 6.19.12, or 6.18.22, or the corresponding distribution backport for older long-term support (LTS) versions.
Where immediate upgrading is not possible, the Theori researcher recommend blacklisting the algif_aead kernel module, which removes the exploitable path.