Loading...
Loading...
Security researchers at Xint Code disclosed CVE-2026-31431, dubbed “Copy Fail,” a Linux kernel logic bug in the authencesn crypto template that allows an unprivileged local user to perform a controlled 4-byte in-memory write to the page cache of any readable file. A 732-byte Python proof-of-concept edits a setuid binary’s page cache to achieve local root on major distributions (Ubuntu, Amazon Linux, RHEL, SUSE) and can cross container boundaries because the page cache is shared. The kernel’s fai
Researchers at Xint Code disclosed CVE-2026-31431, dubbed "Copy Fail": a logic bug in the Linux kernel's authencesn crypto template that lets an unprivileged local user perform a deterministic 4-byte write into the page cache of any readable file. A 732-byte Python PoC edits a setuid binary to obtain root across major Linux distributions (Ubuntu, Amazon Linux, RHEL, SUSE) and architectures without races or per-distro tailoring. The flaw abuses AF_ALG plus splice() to place writable page-cache pages into a writable scatterlist; the kernel fails to mark the page dirty, leaving on-disk checksums unchanged while in-memory processes see the corrupted data. The bug is stealthy, portable, and crosses container boundaries, creating both local LPE and Kubernetes node-compromise vectors; fixes and coordinated disclosure are underway. Keywords include AF_ALG, splice(), page cache corruption.
A logic flaw in the Linux kernel's authencesn cryptographic template, tracked as CVE-2026-31431 and dubbed "Copy Fail," allows an unprivileged local user to write four controlled bytes into the page cache of any readable file and modify a cached binary to gain root. Theori researcher Taeyang Lee, aided by AI tool Xint Code, released a proof-of-concept 732-byte Python exploit that can edit setuid binaries on most Linux distributions since 2017. Distros including Debian, Ubuntu, SUSE and Red Hat have issued patches; the bug is rated High (7.8). While not remotely exploitable by itself, Copy Fail is a critical LPE for multi-tenant systems, shared-kernel containers, CI runners and Kubernetes nodes because the page cache is shared and it can be chained with remote code execution. The finding also highlights rising AI-assisted vulnerability discovery.
Xint Code disclosed CVE-2026-31431, “Copy Fail,” a logic bug in the Linux kernel authencesn crypto template that lets an unprivileged local user produce a deterministic 4-byte write into the page cache of any readable file. A 732-byte Python PoC edits a setuid binary to obtain root across major distributions (Ubuntu, Amazon Linux, RHEL, SUSE) and architectures without races or per-distro adjustments. The flaw stems from AF_ALG + splice() interaction writing page-cache-backed pages via a writable scatterlist; the kernel fails to mark the corrupted page dirty, so on-disk checksums don’t detect the change while in-memory reads see the tampered content. The primitive is stealthy, portable, tiny, and crosses container boundaries, making it a local LPE and Kubernetes node/container escape risk. Coordinated disclosure and fixes are in progress.
Security researchers at Xint Code disclosed CVE-2026-31431, dubbed “Copy Fail,” a Linux kernel logic bug in the authencesn crypto template that allows an unprivileged local user to perform a controlled 4-byte in-memory write to the page cache of any readable file. A 732-byte Python proof-of-concept edits a setuid binary’s page cache to achieve local root on major distributions (Ubuntu, Amazon Linux, RHEL, SUSE) and can cross container boundaries because the page cache is shared. The kernel’s failure to mark the corrupted page dirty means on-disk checksums don’t detect the change, making the exploit stealthy. The vulnerability was AI-assisted in discovery and will be followed by a second report on Kubernetes implications.