Copy Fail CVE Enables Broad Linux Root Escalation

A widely usable exploit for CVE-2026-31431, dubbed CopyFail, was publicly released after a private report to the Linux kernel team, and it grants local privilege escalation to root across virtually all major Linux releases because it targets a logic bug in the kernel crypto API. Theori’s exploit script reliably works unmodified across Ubuntu, Amazon Linux, SUSE, Debian and others because the flaw causes predictable memory corruption when handling AEAD templates for IPsec extended sequence numbers. That makes container escapes, cross-tenant compromises on shared hosts, and CI/CD-to-host takeover highly practical. Patches exist in recent kernel trees but many distributions had not yet rolled them out, leaving data centers and endpoints exposed.

A 732‑byte Python toolkit and PoC exploit for CVE-2026-31431 (“Copy Fail”) demonstrates a local privilege escalation that corrupts Linux page-cache contents via algif_aead’s in-place AEAD handling. The vulnerability—introduced by an in-place AEAD commit in 2017 and present in many distributions including Ubuntu 24.04, Amazon Linux 2023, RHEL 14.3, and SUSE 16—lets an unprivileged user trigger a 4‑byte scratch write into page-cache pages spliced from regular files, altering runtime views of world-readable files like /etc/passwd without touching disk. The repo includes a non-destructive detector and an exploit that flips a user’s UID to 0 in /etc/passwd’s page cache and invokes su for a root shell. Operators should run the detector and apply kernel updates or mitigations immediately.

A widely applicable Linux kernel local privilege escalation called CopyFail (CVE-2026-31431) has public exploit code that reliably gives root on most distributions, alarming defenders. Theori disclosed the exploit five weeks after notifying the kernel team; patches landed in many kernel releases but were not yet widely rolled into distributions, leaving systems exposed. CopyFail stems from a logic bug in the kernel crypto API’s AEAD template for IPsec ESN handling that writes four bytes past its output buffer; unlike flaky race exploits, a single Python script works across Ubuntu, Amazon Linux, SUSE, Debian and others. The vulnerability enables container escapes, multi-tenant and CI/CD compromises, and rapid host takeover once an attacker gains any code-execution foothold, making prompt patching and distribution updates critical.

A critical Linux local-privilege-escalation vulnerability, CVE-2026-31431 dubbed CopyFail, has public exploit code that works across virtually all vulnerable distributions, raising urgent alarms for data centers and personal devices. Theori researchers released the exploit after a five-week private disclosure; the kernel team issued patches for multiple kernel series (including 7.0, 6.19.12, 6.18.12 and several long-term releases), but many distributions had not yet rolled them out when the exploit went public. Because a single script reliably elevates unprivileged users to root, attackers can break out of containers, compromise multi-tenant hosts, and even weaponize CI/CD pipelines. Organizations must prioritize patching, kernel upgrades, or temporary mitigations to prevent wide-scale breaches.

A Hacker News thread discusses CVE-2026-31431, an actively named and publicized vulnerability dubbed “Copy Fail.” Commenters note the exploit includes shellcode encoded via binary deflate and that the real exploit modifies a SUID executable (su), enabling privilege escalation. Participants debate why CVEs and domains get memorable names, citing awareness and patching urgency (Heartbleed, Log4Shell analogies). Readers ask for readable exploit writeups; responders warn the compressed binary contains the shellcode while surrounding steps perform the code alteration. The thread highlights community interest in exploit details and the importance of rapid disclosure and remediation for high-impact, named CVEs.

A local privilege-escalation vulnerability, CVE-2026-31431 (“Copy Fail”), allows an unprivileged user to gain root on many Linux systems by exploiting a 2017 in-place optimization in the kernel crypto API (algif_aead). The published PoC works across multiple mainstream distributions and kernels built between 2017 and the patch, demonstrated to produce root shells on Ubuntu, Amazon Linux, RHEL and SUSE. High-risk targets include multi-tenant hosts, Kubernetes nodes, CI runners, and cloud notebook/serverless environments because shared page cache and enabled AF_ALG make exploitation trivial for local attackers. Vendors have issued a fix (reverting the optimization via commit a664bf3d603d); immediate mitigation is to disable the algif_aead module until kernels are updated.