- Experts reveal "CopyFail" flaw affecting Linux distros
- All Linux kernels released after 2017 are vulnerable
- Users urged to patch now or risk account takeover
Security experts have warned of a major new vulnerability affecting Linux kernels, urging users to patch and upgrade without delay.
The critical privilege escalation flaw, discovered by experts at Theori and dubbed "Copy Fail" can grant root privileges across all major Linux distributions, with containerized environments being especially vulnerable.
All Linux kernels released after 2017 are vulnerable to the issue, which could allow an unprivileged local attacker to gain root permissions - but patches are available now for users to secure their systems.
Update now
Tracked as CVE-2026-31431, the exploit, which is just 732 bytes of Python code rooting Ubuntu, Amazon Linux, RHEL, and SUSE, is “a straight-line logic flaw,” requiring no race conditions or kernel-specific offsets.
It added the issue "is a logic bug in the Linux kernel's authencesn cryptographic template" which means an authenticated user can reliably perform a "4-byte write in to the page cache of any readable file on the system."
BleepingComputer notes that by combining the ‘AF_ALG’ socket-based interface, which gives access to the Linux kernel crypto functions from user space, and the splice() system call, then means an unprivileged user can make a 4-byte controlled write in the page cache of a file, instead of a normal buffer - and if those 4 bytes hit a setuid-root binary, they can alter its behavior when executed, giving the attacker root privileges.
Theori says it found the flaw using Xint Code, its AI-powered pentesting platform, which had been tasked with scanning the Linux crypto / sybsystem for issues.
“Same script, four distributions, four root shells – in one take. The same exploit binary works unmodified on every Linux distribution,” its blog post explains.
Theori says it reported its finding to the Linux kernel security team on March 23 2026, and patches became available within a week. It also created a proof-of-concept exploit for the flaw, which it says is "100% reliable" across the major Linux distros listed above.
"Copy Fail is not a story about a single bug, or about one team’s tooling. It’s a data point that the cost of finding deep logic flaws may have dropped by something like an order of magnitude," noted David Brumley, Chief AI and Science Officer at Bugcrowd.
"If your threat model still budgets kernel LPEs as rare, you probably have weeks to update that—not years."
