CVE-2026-31431 'Copy Fail': 9-Year-Old Linux Kernel Bug Grants Root Access via 10-Line Exploit
A 9-year-old Linux kernel privilege escalation vulnerability, CVE-2026-31431, allows any local user to gain root access with a 10-line exploit that works 100% of the time and leaves no disk trace.
A nine-year-old Linux kernel vulnerability, dubbed 'Copy Fail' and tracked as CVE-2026-31431, allows any local user to escalate privileges to root with a 10-line exploit that works 100% of the time. Discovered by researchers at Xint using AI-assisted scanning, the flaw affects all Linux builds since 2017 and enables container escape in Kubernetes clusters.
The vulnerability stems from a logic error in the Linux kernel's cryptography system introduced in a 2017 update meant to speed up data encryption. An unprivileged attacker can write four specific bytes of data to the in-memory copy of a readable file, piggybacking on the program's default root powers. Because exploitation occurs in temporary memory, it leaves no trace on disk, and evidence clears upon reboot.
Xint's public proof-of-concept exploit on GitHub is only 10 lines long, and a patch is freely available. The vulnerability works equally across all Linux distributions and requires no race conditions, making it highly reliable. Tim Becker, Xint senior security researcher, noted that the flaw allows attackers to edit system configuration files or manipulate sensitive application configurations.
Most concerning is the ability to escape containers in Kubernetes clusters. 'This sort of vulnerability allows container escape from any pod in a Kubernetes cluster to impact the others, or to impact the host that the cluster is running on,' Becker said. Attackers could also exploit CI/CD pipelines by injecting the exploit into automated tests, gaining access to sensitive secrets or deployment keys.
The discovery highlights the growing role of AI in vulnerability research. Xint used an internal AI tool to scan databases like Postgres, Redis, and MariaDB, finding bugs that had existed for over 20 years. However, Becker emphasized that human insight was still crucial for identifying the specific logic flaw behind Copy Fail. 'AI is changing the vulnerability research landscape significantly,' he said, 'but for issues as intricate as this, human insight is still useful. Just barely.'
Organizations are urged to apply the available patch immediately. The vulnerability underscores the risks of long-standing kernel flaws and the potential for AI to accelerate their discovery. As Becker noted, the exploit's simplicity and reliability make it a serious threat to any unpatched Linux system.