"An unprivileged local user can write four controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root," the vulnerability research team at Xint.io and Theori said.
CVE-2026-31431 and the Copy Fail designation
Researchers disclosed a high-severity Linux local privilege escalation tracked as CVE-2026-31431 and codenamed "Copy Fail" by Xint.io and Theori. The flaw carries a CVSS score of 7.8. According to the reporting, Linux distributions have issued advisories in response to the disclosure.
Root cause: a logic error in algif_aead
The defect stems from a logic flaw in the Linux kernel's cryptographic subsystem, specifically within the algif_aead module. The issue was introduced in a source code commit in August 2017. In short, an in-place optimization in algif_aead can let a page-cache page end up in the kernel’s writable destination scatterlist for an AEAD operation submitted over an AF_ALG socket, creating a write primitive into the page cache that an unprivileged process can abuse.
Exploit mechanics: a tiny, portable proof-of-concept
The public write-up describes a compact proof-of-concept: a 732-byte Python script that edits a setuid binary to obtain root. The exploit follows four explicit steps as published by the researchers:
- Open an AF_ALG socket and bind to authencesn(hmac(sha256),cbc(aes)).
- Construct the shellcode payload.
- Trigger the write operation to the kernel's cached copy of "/usr/bin/su".
- Call execve("/usr/bin/su") to load the injected shellcode and run it as root.
The vulnerability is not remotely exploitable in isolation; it requires local code execution. But because the primitive corrupts the page cache of a setuid binary, a local unprivileged user can escalate to root without exploiting a race condition or needing kernel offsets.
Distribution and cross-container impact: Amazon Linux, RHEL, SUSE, Ubuntu and more
Researchers say the same exploit works across distributions shipped since 2017, explicitly naming Amazon Linux, Red Hat Enterprise Linux (RHEL), SUSE, and Ubuntu. The report also warns of cross-container implications: the page cache is shared across all processes on a system, so the primitive can have cross-container consequences.
How Bugcrowd, Xint.io, and the research community frame the risk
David Brumley of Bugcrowd placed Copy Fail in a lineage of page-cache primitives. "Copy Fail is the same class of primitive, in a different subsystem," he said, drawing an explicit parallel to Dirty Pipe (CVE-2022-0847), another LPE that permitted unprivileged users to splice data into the page cache of read-only files and overwrite sensitive files.
A Xint.io spokesperson emphasized the combination of attributes that make the defect notable: "This vulnerability is unique because it has four properties that almost never appear together: it's portable, tiny, stealthy, and cross-container," the spokesperson told The Hacker News. "It allows any user account, no matter how low-level, to increase their privilege to full admin access. It also allows them to bypass sandboxing and works across all Linux versions and distributions."
What this means for technologists, container operators, and enterprises
- Technologists and security teams: Expect to prioritize kernel updates and advisories from distributions. The exploit's lack of race conditions and small size mean detection and forensics may be more difficult; teams will watch for distribution patches and advisories.
- Container operators: Because the page cache is shared across processes and containers on a host, operators running multi-tenant workloads should consider urgent patching and isolation controls announced by their distribution vendors.
- Enterprises and procurement leaders: The universality of the primitive across distributions released since 2017 suggests organizations should inventory affected systems, apply vendor advisories, and verify patch deployment for both host and virtualized/containerized environments.
Copy Fail is a reminder that long-lived kernel changes can bear fruit years later; introduced in 2017, this flaw now enables a tiny, portable exploit that researchers say reliably escalates privileges without complex timing tricks. With distribution advisories already issued, the immediate path forward is straightforward: apply vendor fixes and monitor for related advisories. For defenders, the useful question is no longer whether the bug exists — it does — but how quickly and completely patches are rolled out across the diverse Linux deployments still in production.
