HN
Today

Copy Fail – CVE-2026-31431

A critical Linux local privilege escalation (LPE) vulnerability, dubbed "Copy Fail" (CVE-2026-31431), has been disclosed, impacting nearly all Linux distributions since 2017. This 100% reliable, straight-line logic flaw allows an unprivileged user to gain root access with a tiny 732-byte Python script. Its broad applicability, stealthy nature, and AI-assisted discovery make it a significant security event drawing substantial attention.

14
Score
3
Comments
#2
Highest Rank
18h
on Front Page
First Seen
Apr 29, 6:00 PM
Last Seen
Apr 30, 11:00 AM
Rank Over Time
533322234367887677

The Lowdown

A critical local privilege escalation (LPE) vulnerability, dubbed "Copy Fail" (CVE-2026-31431), has been publicly disclosed, affecting nearly every Linux distribution released since 2017. This serious flaw allows an unprivileged local user to reliably achieve root access with a mere 732-byte Python script, posing a significant risk to shared systems, container environments, and cloud infrastructure. The bug, a "straight-line logic flaw" involving the kernel's crypto API, has been silently exploitable for almost a decade.

  • Widespread Impact: Affects virtually all mainstream Linux distributions with kernels built between 2017 and the recent patch, requiring only an unprivileged local user account and no network access.
  • Reliable and Portable: The exploit is 100% reliable, does not depend on race conditions or kernel-specific offsets, and uses the same 732-byte Python script unmodified across various distributions like Ubuntu, Amazon Linux, RHEL, and SUSE.
  • Stealthy Page Cache Manipulation: The vulnerability exploits a 4-byte write into the page cache of any readable file (like /usr/bin/su), bypassing the VFS path and leaving no trace on disk. This means forensic disk images remain clean after reboot or cache eviction, making detection challenging.
  • Significant Risk Profiles: Poses a high risk to multi-tenant Linux hosts, Kubernetes/container clusters (as a container escape primitive), CI runners, and cloud SaaS platforms running user code, allowing tenants or untrusted code to gain host root.
  • Technical Root Cause: Stems from a logic bug in authencesn within the kernel crypto API, chained through AF_ALG and splice(), specifically reverting a 2017 in-place optimization that caused page-cache pages to end up in a writable destination scatterlist.
  • Mitigation: Immediate patching by updating to a kernel version that includes mainline commit a664bf3d603d is crucial. A temporary workaround involves disabling the algif_aead module.
  • AI-Assisted Discovery: The bug was discovered by Xint Code, with initial human insight scaled and verified by AI across the crypto/ subsystem in approximately an hour.

"Copy Fail" represents a highly impactful and stealthy LPE, distinguished by its broad compatibility, reliability, and the significant threat it poses to modern shared computing environments. Its long-standing presence and the difficulty of forensic detection underscore the critical need for rapid patching and awareness of such subtle yet powerful kernel vulnerabilities.