On April 29, 2026, the Linux community was hit with one of the most significant privilege escalation vulnerabilities in recent history. Tracked as CVE-2026-31431 and dubbed “Copy Fail,” this zero-day allows any unprivileged local user to obtain full root access on virtually every major Linux distribution shipped since 2017.
Discovered by researcher Taeyang Lee of Theori and weaponized via AI-assisted analysis by the Xint Code Research Team, Copy Fail is not a complex race condition. It is a straight-line logic bug that has lived in the kernel’s cryptographic template for nearly a decade.
The Technical Flaw: How “Copy Fail” Works
The vulnerability stems from a 2017 optimization in the kernel’s algif_aead.c file. This optimization allowed the kernel to perform “in-place” cryptographic operations to save memory.
The Exploit Chain
- The Trigger: An attacker uses the
AF_ALGsocket interface combined with thesplice()system call to feed a file into the kernel’s crypto engine. - The Intersection: Because of the 2017 optimization, the kernel points both the “source” and “destination” of the cryptographic operation to the same physical memory—the Page Cache.
- The Overwrite: When using the
authencesnalgorithm (often used for IPsec), the kernel uses the destination buffer as “scratch space” to rearrange bytes. It inadvertently writes 4 bytes of data directly into the Page Cache of a file that should be read-only. - The Persistence: Because this happens in the Page Cache (memory) and not on the disk, the Linux kernel never marks the page as “dirty.” Standard file integrity tools (which check the disk) see nothing, while the system executes a corrupted, “rooted” version of a setuid binary like
/usr/bin/su.
The 732-Byte Python Script
Unlike previous high-profile exploits like Dirty Cow or Dirty Pipe, which often required specific kernel offsets or complex payloads, Copy Fail is devastatingly simple.
The Xint Code Research Team demonstrated that a 732-byte Python script using only standard libraries can achieve a deterministic root shell on every tested architecture (x86_64, ARM64). There is no “winning a race” or recompiling code; the script simply triggers the logic bug and grants an instant root prompt.
Container Escape and Kubernetes Risks
The “Copy Fail” vulnerability is particularly catastrophic for cloud environments. Because the Page Cache is shared across all processes on a host—including those inside containers—the bug functions as a perfect Kubernetes container escape.
A compromised container can use Copy Fail to corrupt a binary visible to the host kernel or other containers. Part 2 of the Xint Code research has already demonstrated full Kubernetes node compromise using this primitive, allowing an attacker to move from a single pod to the entire cluster infrastructure.
Affected Distributions
The vulnerability affects all Linux kernels from version 4.14 up to the latest unpatched mainline.
| Distribution | Tested Kernel Version | Status |
|---|---|---|
| Ubuntu 24.04 LTS | 6.17.0-1007-aws | Vulnerable |
| Amazon Linux 2023 | 6.18.8-9.213.amzn2023 | Vulnerable |
| RHEL 14.3 | 6.12.0-124.45.1.el10_1 | Vulnerable |
| SUSE 16 | 6.12.0-160000.9-default | Vulnerable |
Export to Sheets
Remediation: Immediate Action Required
The official fix (commit a664bf3d603d) separates the input and output memory buffers, ensuring that the Page Cache can never be used as a writable destination for cryptographic scratch space.
1. Patch Your Kernel
Apply the latest security updates from your distribution provider immediately. Most major vendors released patches within 24 hours of disclosure.
2. Emergency Mitigation
If you cannot reboot or patch immediately, you can eliminate the attack surface by disabling the affected kernel module:
Bash
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf
rmmod algif_aead 2>/dev/null
Conclusion: A Decade of Trust Broken
“Copy Fail” is a sobering reminder that simple logic errors in core infrastructure can remain hidden for years. It required three independent code changes over six years to converge into this “perfect” exploit. For system administrators, the message is clear: patch your Linux kernels today, or risk a total compromise of your host and container environments.
