New Linux 'Copy Fail' Vulnerability Enables Root Access on Major Distributions

Key Points:

• Researchers have revealed a high-severity Linux local privilege escalation flaw (CVE-2026-31431), dubbed Copy Fail, that lets unprivileged local users gain root access by writing controlled bytes into the page cache of any readable file.
• The vulnerability arises from a logic flaw in the Linux kernel’s cryptographic subsystem (algif_aead module), introduced in 2017, and can be exploited via a simple 732-byte Python script to inject code into setuid binaries like /usr/bin/su.
• Exploitation requires local access but no race condition or kernel address offsets, and it works across all major Linux distributions since 2017, including Amazon Linux, RHEL, SUSE, and Ubuntu, with additional cross-container impact due to shared page cache.
• Linux vendors have issued security advisories and patches in response, while experts note Copy Fail resembles the earlier Dirty Pipe vulnerability but affects a different kernel subsystem, making it portable, stealthy, and highly dangerous.
• The vulnerability enables any user account to escalate privileges to full administrative rights and bypass sandboxing, posing a significant security risk across diverse Linux environments.