GoKawiilWith a hunch, and an hour of AI-assisted scanning, cybersecurity researchers identified and then figured out how to exploit a nine-year-old root escalation vulnerability affecting every Linux build since 2017.
The vulnerability, which researchers at Xint are calling "Copy Fail," has officially been given the designation CVE-2026-31431. It allows any local user to escalate root by leveraging a logic flaw in the Linux kernel's cryptography system. The flaw allows any unprivileged attacker to write four specific bytes of data to the in-memory copy of a readable file, to essentially piggyback on the program's default root powers.
Copy Fail works thanks to a long history of otherwise sensible updates to the Linux kernel over the years — particularly one update from 2017, which was meant to speed up data encryption. Ironically, then, old, unpatched devices are actually in the clear here.
Considering the severity of the issue, one might imagine that exploiting it would be complex. Not so — Xint's public proof-of-concept (PoC) exploit code on GitHub runs only 10 lines long. Luckily, a patch is just as freely downloadable.
Related:AI Finds 38 Security Flaws in Electronic Health Record Platform
The Risks in Copy Fail
CVE-2026-31431 works equally across all Linux distributions. It requires no funky race conditions. Where most local privilege escalation (LPE) bugs in Linux are probabilistic, Xint noted in its blog post, CVE-2026-31431 works 100% of the time. Because exploitation occurs in temporary memory, it leaves no trace of a crime on the disk, and evidence of the crime will clear as soon as the system is rebooted.
With the root-level powers it affords, there are any number of creative and destructive things a bad actor can do. "You can edit important system configuration files or important programs on the system," explains Xint senior security researcher Tim Becker. "Through various mechanisms like that, you can achieve local privilege escalation, manipulating sensitive configurations of applications running on the system."
Most worrying of all, he adds, "It's very common for people to use Kubernetes clusters to deploy their applications. And this sort of vulnerability allows container escape from any pod in a Kubernetes cluster to impact the others, or to impact the host that the cluster is running on."
The possible attack scenarios only go on from there. "Another really scary application is continuous integration (CI) runners" — agents or machines that programmatically perform tasks in a software development pipeline. "Most software engineering has some sort of continuous integration or continuous testing. Whenever someone opens a pull request containing a code change, some checks and tests will run automatically. And if it's possible for an attacker to inject this exploit into those tests that run automatically, they can escape the container that the CI job is running in. And they can potentially access sensitive secrets that are in the environment, or even sometimes deployment keys that are in CI because your deployment happens from there."
... continue reading