Copy.Fail: Critical Linux Kernel LPE Lets Unprivileged Attackers Gain Root Access
A newly disclosed Linux kernel local privilege escalation vulnerability, dubbed copy.fail, allows unprivileged attackers to gain root access on virtually all major distributions.
A critical Linux kernel local privilege escalation vulnerability, dubbed "copy.fail," has been disclosed by security firm Theori, allowing unprivileged attackers to gain root access on virtually all major distributions. The flaw, for which a CVE has not yet been assigned, was publicly released on April 29, 2026, alongside a working proof-of-concept exploit. The vulnerability is considered one of the most severe Linux kernel flaws in recent years due to its broad impact and the difficulty of detecting exploitation.
The vulnerability resides in the kernel's cryptographic API, specifically in the handling of AF_ALG sockets combined with the `splice()` system call. By abusing this interaction, an attacker can write arbitrary data—four bytes at a time—directly into the page cache of a file they do not own. The file on disk remains unmodified, meaning integrity monitoring tools like AIDE or Tripwire will not detect the attack. This technique bypasses standard file permission checks, allowing an unprivileged user to escalate privileges to root without any race condition or per-distribution offset adjustments.
The exploit works unmodified across a wide range of Linux distributions, including Ubuntu, Red Hat Enterprise Linux, Debian, SUSE, Amazon Linux, and Fedora. This universality makes it particularly dangerous for shared infrastructure environments. In Kubernetes clusters, the default Pod Security Standards (Restricted) and the default RuntimeDefault seccomp profile do not block the required syscall, leaving containers vulnerable. Similarly, shared hosting platforms, CI/CD pipelines running untrusted code, and Windows Subsystem for Linux 2 (WSL2) instances are all affected. Any environment where multiple tenants share a single kernel is at risk.
A mainline kernel fix was committed on April 1, 2026, and distributions are now rolling out patched kernels. System administrators are urged to apply updates as soon as they become available for their respective distributions. For environments where immediate patching is not possible, a custom seccomp profile that blocks the specific syscall combination can serve as a temporary mitigation. Theori has also released detailed technical analysis and detection guidance.
The "copy.fail" vulnerability highlights the ongoing challenge of securing the Linux kernel's complex subsystems. While local privilege escalation flaws are often underestimated, the reality of modern shared infrastructure means that a single unprivileged container or user account can become a gateway to full system compromise. This disclosure serves as a stark reminder that kernel-level vulnerabilities remain a critical attack vector, and that defense-in-depth strategies must include robust isolation and rapid patch deployment.