Linux Kernel 'Copy Fail' Bug (CVE-2026-31431) Allows Unprivileged Users to Gain Root Access
A high-severity local privilege escalation vulnerability in the Linux kernel's authencesn cryptographic template, dubbed Copy Fail, allows unprivileged users to gain root access on nearly all distributions released since 2017.
A newly disclosed local privilege escalation (LPE) vulnerability in the Linux kernel, tracked as CVE-2026-31431 and dubbed "Copy Fail," allows an unprivileged user to gain root access on virtually all Linux distributions released since 2017. The flaw resides in the kernel's authencesn cryptographic template and was discovered by researcher Taeyang Lee at Theori, with assistance from the company's AI-powered security scanning tool, Xint Code.
The vulnerability enables an attacker to write four controlled bytes into the page cache of any readable file on the system. Because the kernel reads the page cache when loading a binary, modifying the cached copy effectively alters the binary for execution purposes—without triggering file system event monitors like inotify. The proof-of-concept exploit is a remarkably compact 10-line, 732-byte Python script that can edit a setuid binary to escalate privileges to root.
Copy Fail is reminiscent of earlier LPE bugs such as Dirty Cow and Dirty Pipe, but its discoverers emphasize a key advantage: it does not require winning a race condition. This makes the exploit more reliable and broadly applicable across different kernel versions and configurations. The flaw has been assigned a CVSS score of 7.8 (High severity).
While not remotely exploitable on its own, the bug becomes a serious threat when chained with other attack vectors—such as a web RCE, a compromised CI runner, or an SSH breach. It is of particular concern for multi-tenant Linux systems, shared-kernel containers, and CI environments that execute untrusted code. Theori notes that the vulnerability also represents a potential container escape primitive that could affect Kubernetes nodes, because the page cache is shared across the host.
Major Linux distributions have begun shipping patches. Debian, Ubuntu, and SUSE have all issued updates, and other distros have followed suit. Red Hat initially indicated it would defer the fix but later reversed course, committing to patch promptly. System administrators are urged to apply the updates as soon as possible, especially on systems where untrusted users have local access or where containers share a kernel.
The disclosure of Copy Fail comes amid a surge in vulnerability reports, many of which are being discovered with the help of AI-powered bug-hunting tools. The Internet Bug Bounty program recently suspended awards to assess how to manage the growing volume of AI-assisted submissions, and Linux creator Linus Torvalds has described the kernel's security mailing list as "almost entirely unmanageable" due to duplicate reports. Copy Fail itself was found using AI, underscoring both the promise and the challenges of automated vulnerability research.