A newly disclosed Linux vulnerability known as “Copy Fail” is being called one of the most serious local bugs to hit the open‑source operating system in years, giving almost any logged‑in user a reliable path to full root control on most major Linux distributions released since 2017. Security researchers say a 732‑byte Python script is enough to exploit the flaw, tracked as CVE‑2026‑31431, on default installs of Ubuntu, Red Hat, SUSE, Amazon Linux, and others, making it a critical concern for servers, desktops, and container platforms alike.
What is Copy Fail?
Copy Fail is the informal name given to CVE‑2026‑31431, a high‑severity local privilege escalation bug in the Linux kernel’s cryptographic subsystem.
- It lives in the authencesn cryptographic template and the algif_aead module, part of the kernel’s user‑space crypto API exposed via the AF_ALG socket family.
- The flaw was introduced in 2017 by a kernel commit that added “in‑place” AEAD encryption operations, inadvertently allowing page‑cache pages to be placed in a writable scatter‑list.
- It affects kernel versions from roughly 4.14 up to early 2026, before being fixed upstream in April; distributions that shipped kernels in this window are considered vulnerable until patched.
Security firm Theori and consultancy Xint Code, which jointly disclosed the bug, describe it as “732 bytes to root on every major Linux distribution,” stressing that the same tiny exploit script worked on stock builds of Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1 and SUSE 16 in their tests.
CERT‑EU rates the vulnerability CVSS 7.8 (high) and warns it affects “every mainstream Linux distribution shipping a kernel built since 2017,” with a public proof‑of‑concept now widely available.
How the bug actually works
At its core, Copy Fail allows any unprivileged local user, someone who can run code on a system, to perform a controlled 4‑byte write into the page cache of any file they can read.
Researchers explain the chain like this:
1. AF_ALG crypto socket: The attacker opens an AF_ALG socket to the kernel’s AEAD crypto API (via algif_aead) and sets up a context using the vulnerable authencesn template.
2. splice() misuse: By combining that with the splice() system call — normally used to move data between file descriptors without copying into user space — they convince the kernel to write into a page‑cache‑backed page instead of a normal user buffer.
3. 4‑byte page‑cache write: Because of the logic flaw, the operation becomes a deterministic, attacker‑controlled four‑byte overwrite inside the in‑memory copy of a file, without touching the file on disk.
4. Setuid binary corruption: If those four bytes land in the right place within a setuid‑root binary (for example /usr/bin/su or similar), the attacker can alter how it behaves when executed, typically redirecting control flow to gain a root shell.
Because the modification happens entirely in the page cache, not the on‑disk file, the change is stealthy: standard file‑integrity checks or backups won’t see anything wrong, yet the next time that binary is run, it behaves as if it has been patched in place.
Theori says its exploit is “100% reliable” in their tests, with no race condition and no need for kernel offsets or version‑specific tuning, a big part of why they compare Copy Fail to the notorious Dirty Pipe vulnerability, and in some ways consider it more practical.
Which Linux systems are affected?
The short answer from multiple advisories: almost all mainstream Linux systems built between 2017 and early 2026, unless they have already applied fixed kernels.
- Theori says the same 732‑byte Python exploit “roots every Linux distribution shipped since 2017,” and they verified it on Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1 and SUSE 16.
- CERT‑EU confirms that the bug affects “every mainstream Linux distribution shipping a kernel built since 2017,” tied to the 2017 in‑place AEAD change.
- Ubuntu’s security team notes that 4.15‑series kernels (and later vulnerable lines) are impacted; older 4.4 and 3.13 series are not, because they predate the problematic commit.
Crucially, the bug is local: an attacker needs some form of code execution or shell on the machine — via a compromised account, a web app foothold, or malicious workload — then uses Copy Fail to jump from basic user to root.
That makes it especially dangerous for:
- Multi‑tenant servers (hosting many users or customers).
- CI/CD runners and build systems that run untrusted code.
- Shared‑kernel containers (Docker, LXC, Kubernetes) where compromising a container could be a stepping stone to owning the host.
Kaspersky’s Securelist highlights the container angle, warning that if the vulnerable algif_aead module is available on the host, processes inside a Docker or Kubernetes container can access AF_ALG and potentially break isolation to take over the physical machine.
How serious is it compared with past Linux bugs?
Security analysts are drawing explicit parallels between Copy Fail and Dirty Pipe, the 2022 Linux bug that also enabled easy local privilege escalation through a page‑cache flaw.
Theori and Xint argue that Copy Fail is unusual because it combines four properties that “almost never appear together”:
- Portable: one exploit script works across many kernel versions and distributions, without per‑version offsets.
- Tiny: the proof of concept is just 732 bytes of Python, simple enough to embed, obfuscate or hide inside other tooling.
- Stealthy: it changes only in‑memory pages, so no on‑disk file modifications are needed.
- Cross‑container: it can be exploited from inside a container if kernel crypto APIs are exposed.
The Hacker News quotes the researchers as saying that any user account, “no matter how low‑level,” can escalate to full admin access, bypass sandboxing and work “across all Linux versions and distributions” that shipped the vulnerable kernels.
Briefly, security forums and Reddit threads have described Copy Fail as the most impactful local Linux bug since Dirty Pipe and Dirty COW, largely because it hits such a wide time window (2017‑2026) and has a polished public exploit.
How it’s being fixed — and what admins should do
The good news is that kernel patches already exist, and major distributions are rolling out updates.
- The upstream Linux kernel team fixed the issue on April 1, 2026, by reverting the 2017 “in‑place” AEAD optimization and ensuring page‑cache pages are no longer part of writable scatter‑lists in algif_aead.
- Theori says fixes landed in kernel versions 6.18.22, 6.19.12 and 7.0, with downstream backports for older supported lines.
- Ubuntu, Red Hat, SUSE and others have begun shipping patched kernel packages; Ubuntu’s advisory explicitly labels them “Copy Fail fixes” and urges immediate installation.
Security advisories recommend a two‑tier response:
1. Patch and reboot
- Apply your distribution’s latest kernel updates on all affected systems, then reboot so the new kernel is running.
- Confirm that your kernel version includes the Copy Fail fix or is outside the 2017–2026 vulnerable range.
2. Short‑term mitigations where patching is delayed
- Disable access to the vulnerable crypto interface by blocking AF_ALG socket creation with seccomp filters, or by blacklisting/unloading the algif_aead kernel module.
- Harden multi‑tenant and containerized environments by restricting which workloads can access low‑level kernel features and by tightening role‑based access controls.
CERT‑EU warns that because a public exploit exists and is trivial to adapt, organizations should assume Copy Fail will rapidly make its way into attacker toolkits, especially for post‑exploitation on Linux servers and CI pipelines.
For defenders, the bug is a reminder that even mature, heavily audited code like the Linux kernel can conceal long‑lived logic errors, and that a few seemingly innocuous bytes in the right place can redraw the security map for almost a decade’s worth of systems.
