CVE-2026-31431 is a nine-year-old vulnerability in the Linux kernel that can let an unprivileged local user write four bytes of their choosing into the page cache of any readable file — and it has been present in kernels shipped since 2017.
The vulnerability: Copy Fail and the authencesn cryptographic template
The flaw, named "Copy Fail" by its discoverers, is a logic bug in the Linux kernel's authencesn cryptographic template. According to the researchers, Copy Fail "lets an unprivileged local user trigger a deterministic, controlled four-byte write into the page cache of any readable file on the system." Exploitation can lead to an attacker gaining root access to the Linux kernel on affected machines. The vulnerability has been assigned CVE-2026-31431 and given a high-severity CVSS score of 7.8.
Discovery and coordinated disclosure: Taeyang Lee, Xint.io, and the timeline
The vulnerability was discovered by Taeyang Lee, a vulnerability researcher at offensive security firm Theori. Lee reported the issue to the Linux kernel security team on March 23, which began working on a patch "over the next few days." The kernel team assigned the vulnerability CVE-2026-31431 on April 22; Xint.io then publicly disclosed the issue seven days later.
How the bug can be exploited — constraints and capabilities
Copy Fail is notable for the simplicity of prerequisites and severity of outcome. It requires no network access, no kernel debugging features, and no pre-installed exploitation primitives. The attacker still must have physical access to the target machine and an unprivileged local user account. The researchers emphasize the vulnerability’s impact on environments where multiple users or workloads share the same kernel: multi-user shared systems, container clusters (explicitly named: Kubernetes, Docker), and similar setups could allow a regular user to access other users' data or escalate to root via the four-byte controlled write.
Patch, mitigation, and proof-of-concept
A patch is available. The fix reverts an optimization for Authenticated Encryption with Associated Data (AEAD) operations that was introduced in 2017. The researchers instruct administrators to "Update your distribution’s kernel package to a version that includes commit a664bf3d603d from the main branch." Theori has published a proof-of-concept (PoC) exploit so that defenders can verify their own systems and validate vendor patches. Most major Linux distributions named in the disclosure — Debian, Ubuntu, SUSE and Red Hat — now provide the fix.
What this means for container cluster operators, multi-user system administrators, and defenders
- Container cluster operators (Kubernetes, Docker): clusters that share kernels among multiple tenants are explicitly called out as at risk; a regular user in a shared container could leverage the flaw to affect other containers or the host kernel.
- Administrators of multi-user shared systems: systems providing local accounts and physical access should prioritize kernel updates because the exploit requires only an unprivileged local account plus physical access to the machine.
- Defenders and incident responders: Theori’s published PoC allows teams to verify their exposure and confirm whether vendor kernel packages have applied commit a664bf3d603d. The disclosure timeline (report on March 23; CVE assigned April 22; public disclosure one week later) supplies the dates needed to check when individual deployments were patched.
Copy Fail is a reminder that subtle logic changes — in this case an AEAD optimization added in 2017 — can have far-reaching consequences years after they are merged. The immediate, actionable step in the public record is explicit: "Update your distribution’s kernel package to a version that includes commit a664bf3d603d from the main branch," as the researchers advise. With a PoC available and patches rolled into major distributions, the clock now runs on administrators to verify updates and on operators of shared-kernel environments to confirm they are no longer exposed.




