"An unprivileged local user can write 4 controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root," said researchers at offensive security firm Theori on Wednesday of the local privilege escalation flaw, CVE-2026-31431.
How Copy Fail (CVE-2026-31431) operates
The vulnerability, nicknamed "Copy Fail" by Theori, lives in the Linux kernel's cryptographic subsystem and specifically involves a behavior that allows a temporary "scratch write" of four bytes during a crypto operation. Theori says successfully exploiting the flaw gives an attacker root-level access to the operating system. The flaw affects distributions built from 2017 onward, the firm reported.
The core mechanism, as described by consultancy Threatbear, is a kernel-side temporary write of a sequence number limited to four bytes. Because most root-shell payloads require roughly 160 bytes of assembly, an attacker must stage the exploit in multiple steps — triggering the vulnerability repeatedly to write successive 4-byte pieces into the page cache until sufficient code has been assembled.
Where the risk is concentrated: multi-tenant containers, CI runners, and single-user laptops
Theori frames the highest risk for environments that run untrusted code on shared kernels: "multi-tenant Linux, shared-kernel containers, CI runners that execute untrusted code or anything where someone you don't fully trust can execve" are the most exposed, the researchers said. They rate the risk as "medium" for stand-alone Linux servers and "low" for "a single-user laptop with full-disk encryption and a locked screen."
Bugcrowd's David Brumley warned against downplaying the vulnerability on the basis of its CVSS score. Although the flaw carries a CVSS base score of 7.8 ("high"), Brumley wrote that defenders should not be "fooled by the 'high' - not critical - CVSS score" when shared-kernel container isolation is part of the environment.
AI-assisted discovery: Theori's method and wider implications
Theori says the discovery was assisted by an in-house large language model security tool described as "AI-powered, LLM-native" and built to scan source code, configuration files and binaries. According to the firm, the researcher scanned the Linux crypto/subsystem and found the issue in about one hour, with no harnessing required. Theori released a proof-of-concept exploit and other researchers have published their own scripts.
Brumley framed Copy Fail as a data point about cost and capability: as tools improve, "the cost of finding deep logic flaws may have dropped by something like an order of magnitude," he wrote. Theori's account and Brumley's commentary together place this discovery at the intersection of advancing tooling and brittle kernel logic.
Mitigations and detection: disable algif_aead, watch AF_ALG with eBPF
Theori says most major distributions are shipping the fix now. As a temporary mitigation, they advise disabling the algif_aead kernel module, which is part of the cryptographic subsystem and "typically ships active by default." Disabling that module will block exploitation, though Theori notes it may have some cost to functionality.
Threatbear recommends defenders use Linux kernel Extended Berkeley Packet Filter (eBPF) tooling to watch for unexpected attempts to create the AF_ALG socket connections that touch kernel memory. Such socket-creation attempts are not typical when user-space libraries like OpenSSL handle crypto, so an unexpected AF_ALG connection that touches kernel memory should be considered suspicious — what Threatbear calls a potential "glowing red flag." Because the exploit requires repeated 4-byte writes, the multi-stage nature of those attempts can be noisy and observable with the right monitoring in place.
Actions for operators, security teams, and laptop users
- Multi-tenant cloud and container operators: prioritize applying the vendor patches being distributed and consider disabling the algif_aead module until systems are patched. Treat shared-kernel environments that run untrusted code as high-risk given the exploit's container-escape primitive.
- CI/CD and runner operators: assume this vulnerability is in scope for any runner that executes untrusted builds or code; patch promptly and instrument AF_ALG socket activity via eBPF to detect exploitation attempts.
- Single-user laptop owners: Theori characterizes risk as low for devices that have full-disk encryption and a locked screen, but still recommends applying the patch once available.
Across the published material, the recommended takeaway is unambiguous: patch where vendors supply fixes, or temporarily disable the algif_aead module if immediate patching is not possible. As Theori put it, "patch anyway." For defenders with suitable observability, watching AF_ALG socket creation with eBPF provides a practical detection path while patches roll out.
Source: GovInfoSecurity — Linux 'Copy Fail' Flaw Delivers Root-Level Access to Distros
