Copy Fail (CVE-2026-31431): New Linux Kernel Privilege Escalation Flaw Affects Nearly All Distributions Since 2017
A high-severity local privilege escalation vulnerability in the Linux kernel's cryptographic subsystem, dubbed 'Copy Fail,' allows any local user to gain root access on virtually every major Linux distribution released since 2017.
A high-severity local privilege escalation vulnerability in the Linux kernel, tracked as CVE-2026-31431 and dubbed 'Copy Fail,' allows any local user to gain root access on virtually every major Linux distribution released since 2017. The flaw resides in the kernel's cryptographic subsystem and was discovered by researcher Taeyang Lee of Theori using the company's AI-assisted security scanning tool, Xint Code. A reliable public exploit is already available, drawing comparisons to previous high-profile Linux kernel privilege escalation flaws like Dirty Cow and Dirty Pipe.
The vulnerability, assigned a CVSSv3 score of 7.8, enables a local attacker to modify the kernel's cached copy of a file in memory without altering the underlying file on disk. By targeting a privileged binary, an attacker can escalate privileges to root. Because the modification exists only in the page cache, standard disk forensics would not detect the alteration, and clearing memory through a reboot or resource pressure causes the cache to reload from the original file. This makes the attack stealthy and persistent across reboots.
Copy Fail affects any Linux distribution shipping kernel version 4.14 or later, meaning the flaw has been present since 2017 and persisted across nearly a decade of kernel releases. Major distributions impacted include Ubuntu, Red Hat Enterprise Linux, Debian, Amazon Linux, SUSE, and Arch Linux. The exploit uses kernel features enabled by default on most distributions and does not require special privileges or configuration, making it particularly dangerous in multi-tenant environments such as cloud systems, container clusters, and CI/CD pipelines.
Patched kernel versions have been released for several stable branches, including 5.10.254, 5.15.204, 6.1.170, 6.6.137, 6.12.85, 6.18.22, 6.19.12, and 7.0. The fix removes the 2017 optimization that allowed the vulnerability, restoring a safer separation between read and write operations in the kernel's crypto interface. However, as of April 30, some distributions like Debian and Amazon Linux remain vulnerable, while others are still patching.
For systems where an immediate kernel update is not feasible, two workarounds are available depending on kernel configuration. If the affected module is loaded dynamically (CONFIG_CRYPTO_USER_API_AEAD=m), administrators can disable it using modprobe.d. If the module is compiled into the kernel (CONFIG_CRYPTO_USER_API_AEAD=y), a kernel boot parameter can be added to block the exploit. However, userspace applications such as cryptsetup and firefox-esr may be affected, so testing in a non-production environment is advised.
The same research effort that uncovered Copy Fail also found additional security flaws in the kernel, at least one of which is also a privilege escalation issue. Those findings remain under coordinated disclosure. The inclusion of Copy Fail in CISA's Known Exploited Vulnerabilities catalog is likely given the availability of a reliable public exploit and the widespread impact. Organizations are urged to prioritize patching and apply mitigations where updates are not yet available.