"Copy Fail is more portable. One script, every distro, no offsets. Dirty Pipe needed kernel ≥ 5.8 with specific patches; Copy Fail covers the entire 2017–2026 window," Theori researchers wrote describing CVE-2026-31431.
How Theori discovered CVE-2026-31431
The vulnerability, tracked as CVE-2026-31431 and dubbed "Copy Fail," was found by the offensive security company Theori. Using its AI-driven pentesting platform Xint Code, Theori scanned the Linux crypto/ subsystem for roughly an hour before locating the issue. The researchers reported the finding to the Linux kernel security team on March 23, and, according to Theori, patches were available within a week. Technical details and a proof-of-concept exploit emerged publicly yesterday.
How Copy Fail (CVE-2026-31431) actually works
In their detailed write-up, Theori describes Copy Fail as "a logic bug in the Linux kernel's authencesn cryptographic template" that permits an authenticated user to perform a controlled 4-byte write into the page cache of any readable file on the system. The exploit combines two kernel interfaces: the AF_ALG socket-based interface, which exposes kernel crypto functions to user space, and the splice() system call. Using those mechanisms, an unprivileged user can make a 4-byte write into a file's page cache rather than into an ordinary buffer.
If those four bytes overwrite data in a setuid-root binary in a way that alters its behavior when executed, the attacker can escalate from an unprivileged account to root permissions. Theori traces the bug to a change made in 2017: an "in-place" optimization added to the crypto path that began reusing the same buffer instead of keeping input and output strictly separate.
Demonstrated impact: one 732‑byte script, many distributions
Theori developed and tested a Python-based exploit they describe as "100% reliable" and 732 bytes in size. They say the script "roots every Linux distribution shipped since 2017." The company demonstrated the proof-of-concept on Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16.
The researchers compare Copy Fail to the earlier "Dirty Pipe" vulnerability, saying Copy Fail is closer in effect to Dirty Pipe but is more reliable and more broadly exploitable. Their assessment: Copy Fail is more practical and more portable across kernel versions and distributions than Dirty Pipe.
Mitigation, fixes, and current update posture
Upstream fixes for CVE-2026-31431 were applied on April 1 by reverting the problematic "in-place" crypto behavior that originated in kernel 4.14 in 2017. The fixes were made available in kernel versions 6.18.22, 6.19.12, and 7.0. According to Theori, major Linux distributions are already pushing the fix via kernel updates.
Not everyone has reached the same public posture. Tharros' principal vulnerability analyst, Will Dormann, noted that there are no "official updates for CVE-2026-31431." Dormann added that "Fedora 42 and newer have updates, but no official advisory or acknowledgement of CVE-2026-31431."
As interim mitigations for systems that have not yet received patched kernels, Theori recommends disabling the vulnerable crypto interface or the specific module. The commands they suggest are:
- echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
- rmmod algif_aead
What this means for multi-tenant Linux hosts, Kubernetes/container clusters, and CI runners
Theori explicitly recommends that organizations prioritize patching multi-tenant Linux hosts, Kubernetes and container clusters, CI runners and build farms, and cloud SaaS environments that run user code. Those systems are highlighted because an unprivileged user already present on the host — for example, a container tenant, build job, or SaaS customer running code — could exploit the 4-byte write to escalate to root across the underlying host if the host is running an affected kernel.
Copy Fail's public proof-of-concept and its claimed portability change the immediate calculus for defenders: a short, reliable script that targets a long window of vulnerable kernels means patch deployment and temporary module-disablement are the practical levers available now. The upstream reversion landed on April 1 and distribution updates are being pushed, but Theori's public disclosure and Dormann's note about missing advisories leave clarity about official notices and coverage uneven.
For security teams and operators the near-term choices are concrete: install updated kernels from your distribution, apply Theori's recommended interim mitigations where kernels cannot be immediately upgraded, and prioritize hosts that expose multi-tenant or untrusted code execution. The longer-term question — already framed by Theori's timeline from discovery to disclosure — is how quickly distributions will couple kernel updates with clear advisories so administrators can verify mitigation across varied fleet architectures.
Source: BleepingComputer — New Linux ‘Copy Fail’ flaw gives hackers root on major distros
