A single 732-byte Python script. Four controlled bytes. And root access on virtually every Linux machine shipped since 2017.
That is the reality of Copy Fail, a newly disclosed Linux local privilege escalation vulnerability tracked as CVE-2026-31431. Discovered by Xint.io and Theori, the Linux local privilege escalation Copy Fail flaw carries a CVSS score of 7.8.
The vulnerability allows any unprivileged local user to write four controlled bytes into the page cache of any readable file. From there, gaining root is straightforward.
What Is Copy Fail?
Quick Security Checklist
- Scan your system or website
- Update all dependencies
- Change passwords
- Enable 2FA
The Linux local privilege escalation Copy Fail vulnerability resides in the Linux kernel's cryptographic subsystem, specifically within the algif_aead module. The flaw was introduced in a source code commit made in August 2017.
That means every mainstream Linux distribution released in the past nine years is vulnerable. Amazon Linux, Red Hat Enterprise Linux, SUSE, Ubuntu, Debian—all of them.
The Linux local privilege escalation Copy Fail vulnerability allows an unprivileged user to corrupt the page cache of a setuid binary like /usr/bin/su. Setuid binaries run with the privileges of the file's owner (usually root) regardless of who executes them. Corrupting one means injecting malicious code that will later run with root privileges.
How the Exploit Works
The Linux local privilege escalation Copy Fail exploit is remarkably simple. A 732-byte Python script performs four steps:
Step 1: Create AF_ALG socket. In order to create an AF_ALG socket, the script will call the bind API to bind to the AF_ALG socket on the authencesn/algor/auth_hmac(sha256)/cbc/aes path to create the cryptographic context to perform key derivation functions.
Step 2: Create Shellcode. The next step is for the attacker to execute a sequence of instructions that would give root access to their system using a minimal payload.
Step 3: Writing: The method for the Linux Local Privileged Escalation Copy Fail Exploit will corrupt the cached binary, located in /usr/bin/su by altering and corrupting four bytes.
Step 4: Executing: Using an executable file via the execve API, we execute the file /usr/bin/su and run the injected shell code.
That is it. No race condition. No kernel offset guessing. No complex memory corruption. The Linux local privilege escalation Copy Fail vulnerability is reliable, portable, and works the same way across every affected distribution.
Why Copy Fail Is Dangerous
The research team at Xint.io and Theori identified four properties that make the Linux local privilege escalation Copy Fail vulnerability particularly dangerous.
1. Portable - The same exploit will work on all vulnerable Linux distributions and does not depend on kernel version, compiler specificities or hardware architecture.
2. Tiny - Only 732 bytes as a Python script. This is small enough to tweet, embed in a seemingly harmless script, or hide in a shared computing environment.
3. Stealthy - The exploitation of the Linux local privilege escalation Copy Fail will corrupt the page cache and NOT the on-disk binary, so if a System Administrator were to do a file integrity check, they would see no changes made to the system since /usr/bin/su would be unchanged on disk; only the cached in-memory version has been corrupted.
4. Cross-container - Page cache access is shared across all processes on a system, including those operating inside of containers on the same physical host; therefore, abusing the Linux local privilege escalation Copy Fail can allow an attacker operating inside of one container to corrupt binaries on the host affecting other containers.
Copy Fail vs. Dirty Pipe
Security researchers are drawing comparisons between Copy Fail and Dirty Pipe (CVE-2022-0847), another Linux kernel LPE vulnerability discovered in 2022.
Dirty Pipe allowed unprivileged users to splice data into the page cache of read-only files, overwriting sensitive files to achieve code execution. The Linux local privilege escalation Copy Fail vulnerability uses a similar primitive but in a different subsystem.
Bugcrowd's David Brumley explained the connection: "Copy Fail is the same class of primitive, in a different subsystem. The 2017 in-place optimization in algif_aead allows a page-cache page to end up in the kernel's writable destination scatterlist for an AEAD operation submitted over an AF_ALG socket. An unprivileged process can then drive splice() into that socket and complete a small, targeted write into the page cache of a file it doesn't own."
Dirty Pipe was bad. Copy Fail may be worse because of its cross-container impact and the fact that it has existed since 2017 without detection.
Impact Across Distributions
The Linux local privilege escalation Copy Fail vulnerability affects essentially every mainstream Linux distribution.
Following disclosure, major vendors released security advisories:
1. Amazon Linux – Patched versions available
2. Debian – Security update released
3. Red Hat Enterprise Linux – Fixes available for affected versions
4. SUSE – Patches distributed
5. Ubuntu – Security update published
If you are running any Linux distribution released after August 2017, assume you are vulnerable to the Linux local privilege escalation Copy Fail flaw until you apply the patch.
Is Copy Fail Remotely Exploitable?
No. The Linux local privilege escalation Copy Fail vulnerability requires local access. An attacker must already have the ability to run code on the target system.
However, that local access is often easy to obtain. A phishing email, malicious document, or compromised web application can give an attacker an unprivileged foothold. The Linux local privilege escalation Copy Fail flaw then turns that low-privileged foothold into full root access.
The Linux local privilege escalation Copy Fail vulnerability is very dangerous in situations where multiple users all use the same kernel. Some examples of these cases are in shared hosting, university computer labs, or even cloud VMs that have multiple tenants running on them like CI/CD runners.
Technical Deep Dive
The Linux local privilege escalation Copy Fail vulnerability is resulting from a logic flaw in the cryptographic subsystem of the kernel. An optimization (introduced in 2017) in the algif_aead module that is responsible for performing authenticated encryption with associated data (AEAD) operations, allows a page-cache page to be present in the writable destination scatterlist of the kernel during an AEAD operation submitted via an AF_ALG socket. An unprivileged user can use splice() to write small amounts of controlled data into that page-cache page.
As an example, the Linux local privilege escalation Copy Fail exploit targets a setuid binary, such as /usr/bin/su or /usr/bin/sudo. To do this, the attacker can modify only four bytes of the cached version of the binary and redirect execution flow to the attacker’s injected shellcode or modified permission-checks.
Because the corruption affects only the page cache and not the on-disk binary, the Linux local privilege escalation Copy Fail exploit leaves no forensic trace on disk. Traditional integrity monitoring tools will not detect the compromise.
How to Protect Your Systems
The Linux local privilege escalation Copy Fail vulnerability is serious. Here is what you need to do.
1. Patch as soon as possible. The Linux local escalation vulnerability in the Copy Fail exploit will now be fixed by patched kernel distributions, so you should patch immediately; do NOT delay!
2. If you cannot patch your system immediately then let only people with Local Access to the computers have permission to run any binary they want; limit the number of people who have access through locally located accounts on your computers; remove locally created builds and development/test environments to further restrict Local Access.
3. Use Live Kernel Patching to update your kernel without requiring reboots. You are able to apply fixes for the Copy Fail exploit while your system continues to run; use live patching tools, like kpatch from RedHat, kgraft from SUSE, or canonical-livepatch from Ubuntu, to apply a live kernel patch for the Copy Fail exploit while your system continues to operate.
4. Watch for unusual usage of AF_ALG sockets. AF_ALG Sockets are used by the exploit. If you notice any unusual usage of cryptographic socket operations on systems that do not normally use that type of socket, this could be indicative that the Copy Fail exploit has been used against your system.
5. Assuming your system has untrusted local users and has been running on an unpatched kernel, you will need to assume that the Copy Fail exploit has been used successfully against your system. Therefore, you will need to audit all of your setuid binaries and re-install from trusted media.
Final Thoughts
The Linux local privilege escalation Copy Fail vulnerability has existed in the kernel since August 2017. For nine years, every Linux system shipped with this flaw. Every shared hosting environment. Every cloud VM. Every enterprise server.
The Linux local privilege escalation Copy Fail exploit is tiny, reliable, and stealthy. A 732-byte Python script is all it takes to turn an unprivileged user into root.
Patch now. Assume nothing. And remember that in security, nine years is an eternity.
FAQ Section
Q1: What versions of Linux are affected by CVE-2026-31431?
The Linux local privilege escalation Copy Fail vulnerability affects all Linux distributions using kernel versions released after August 2017. This includes Amazon Linux, RHEL, SUSE, Ubuntu, Debian, and virtually every other mainstream distribution from the past nine years.
Q2: Can the vulnerability of Copy Fail be exploited remotely?
The Linux Copy Fail local privilege escalation vulnerability cannot be exploited remotely. Therefore, an attacker must have physical access to a computer running on Linux in order to exploit this vulnerability. An attacker must first gain access to a computer by using phishing techniques, web attacks, or any other method which allows them to execute code on a computer.
Q3: Is the Copy Fail vulnerability worse than the Dirty Pipe vulnerability?
Although both vulnerabilities constitute significant risk for the Linux operating system, the Copy Fail vulnerability has some inherent advantages for an attacker. For example, because the Copy Fail vulnerability is cross-container, stealthy (does not change anything on disk), and does not require a race condition or kernel offset guessing, this makes it simpler for an attacker to exploit. Finally, the same exploit works across all OS distributions that run on the Linux kernel.
Q4: How can I tell if my Kernel is compromised by Copy Fail?
You can identify if your Kernel is possibly at risk from Copy Fail by checking if the installed Kernel version(s) on your system matches the version(s) specified in the Security Advisory of your distribution. Additional conditions include the Kernel having been released after August of 2017 and still being unpatched for CVE-2026-31431 (these Kernels remain vulnerable). All Kernels that cannot be patched against a vulnerability, either because the vulnerability is local, or because they are not yet present within their distribution, are therefore susceptible to the Copy Fail local Privilege Escalation vulnerability.
Q5: Does Copy Fail impact the security of containers?
Yes. Copy Fail is cross-container because the page cache used by each host system is shared among all applications on that system. A compromised container could exploit Copy Fail, thus corrupting binaries that exist in the host container or in other containers, thus breaking container isolation.
