Nine-Year-Old 'Copy Fail' Zero-Day in Linux Kernel Discovered via AI-Powered Tool
A high-severity zero-day vulnerability dubbed 'Copy Fail' (CVE-2026-31431) that has lurked in the Linux kernel since 2017 was uncovered by a researcher using an AI-driven code analysis platform, affecting all major distributions.
A nine-year-old zero-day vulnerability in the Linux kernel, tracked as CVE-2026-31431 and nicknamed 'Copy Fail,' has been discovered by security researcher Taeyang Lee using Theori's AI-powered source code analysis platform, Xint.io. The flaw, a logic bug in the kernel's authencesn cryptographic template, allows an unprivileged local user with physical access to perform a controlled four-byte write into the page cache of any readable file on the system. This can be exploited to achieve root privilege escalation on all Linux distributions shipped since 2017.
The vulnerability resides in the authencesn cryptographic template, which handles Authenticated Encryption with Associated Data (AEAD) operations. The bug was introduced in 2017 when an optimization was added to the kernel's cryptographic subsystem. Lee discovered the flaw using Xint Code, a tool that leverages AI to analyze source code for vulnerabilities. He reported the issue to the Linux kernel security team on March 23, 2026, and a patch was developed shortly thereafter. The Linux kernel security team assigned CVE-2026-31431 on April 22, and Theori publicly disclosed the vulnerability on April 29.
Exploiting 'Copy Fail' requires the attacker to have physical access to the target machine and an unprivileged local user account. No network access, kernel debugging features, or pre-installed primitives are needed. The vulnerability is particularly dangerous in multi-user shared systems, container clusters (such as Kubernetes and Docker), and similar environments where a regular user could potentially access other users' data or escalate privileges to root. The flaw has been assigned a CVSS score of 7.8, indicating high severity.
Theori has published a proof-of-concept (PoC) exploit to help defenders verify their own systems and validate vendor patches. The patch is now available and reverts the optimization for AEAD operations that was added in 2017. The researchers advise updating the distribution's kernel package to a version that includes commit a664bf3d603d from the main branch. Major Linux distributions, including Debian, Ubuntu, SUSE, and Red Hat, have already released fixes.
The discovery of 'Copy Fail' highlights the growing role of artificial intelligence in vulnerability research. AI-driven tools like Xint.io can analyze vast amounts of source code to identify subtle logic bugs that might otherwise go unnoticed for years. This case also underscores the importance of proactive security measures, as the flaw remained undetected for nearly a decade despite being present in one of the most scrutinized pieces of open-source software in the world.
While the vulnerability requires physical access, its impact on shared infrastructure is significant. Organizations running multi-tenant environments or containerized workloads should prioritize patching to mitigate the risk of local privilege escalation. The availability of a PoC exploit means that attackers may soon incorporate this flaw into their toolkits, making timely patching even more critical.
In summary, 'Copy Fail' is a stark reminder that even well-audited codebases can harbor long-lived vulnerabilities. The combination of AI-assisted discovery and responsible disclosure has ensured that a fix is now available, but the incident also raises questions about how many other similar flaws remain hidden in critical infrastructure software.