GoKawiilAn exploit has been published for a local privilege escalation vulnerability dubbed “Copy Fail” that impacts Linux kernels released since 2017, allowing an unprivileged local attacker to gain root permissions.
The vulnerability is tracked as CVE-2026-31431 and was discovered by the offensive security company Theori, using its AI-driven pentesting platform Xint Code after scaning the Linux crypto/ sybsystem for about an hour.
Theori reported the finding to the Linux kernel security team on March 23, and patches became available within a week. Technical details and a proof-of-concept exploit for the flaw emerged publicly yesterday.
Although the cybersecurity company developed and tested a "100% reliable" Python-based exploit for four Linux distributions (Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16), the researchers say that the 732-byte "script roots every Linux distribution shipped since 2017."
Copy Fail root cause
In a detailed write-up, the researchers say that the Copy Fail (CVE-2026-31431) issue "is a logic bug in the Linux kernel's authencesn cryptographic template" that allows an authenticated user to reliably perform a "4-byte write in to the page cache of any readable file on the system."
By combining the ‘AF_ALG’ socket-based interface, which gives access to the Linux kernel crypto functions from user space, and the splice() system call, an unprivileged user can make a 4-byte controlled write in the page cache of a file, instead of a normal buffer.
If those 4 bytes hit a setuid-root binary, they can alter its behavior when executed, giving the attacker root privileges.
The flaw was introduced in 2017, when the Linux kernel team added an “in-place” optimization to the crypto path, meaning it began reusing the same buffer rather than keeping input and output strictly separate.
... continue reading