New Linux ‘Copy Fail’ Vulnerability Enables Root Access on Major Distributions
New Linux ‘Copy Fail’ Vulnerability Enables Root Access on Major Distributions
https://thehackernews.com/2026/04/new-linux-copy-fail-vulnerability.html
Publish Date: 2026-04-30 05:24:00
Source Domain: thehackernews.com
Cybersecurity researchers have disclosed details of a Linux local privilege escalation (LPE) flaw that could allow an unprivileged local user to obtain root.
The high-severity vulnerability tracked as CVE-2026-31431 (CVSS score: 7.8) has been codenamed Copy Fail by Xint.io and Theori.
“An unprivileged local user can write four controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root,” the vulnerability research team at Xint.io and Theori said.
At its core, the vulnerability stems from a logic flaw in the Linux kernel’s cryptographic subsystem, specifically within the algif_aead module. The issue was introduced in a source code commit made in August 2017.
Successful exploitation of the shortcoming could allow a simple 732-byte Python script to edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017, including Amazon Linux, RHEL, SUSE, and Ubuntu. The Python exploit involves four steps –
- Open an AF_ALG socket and bind to authencesn(hmac(sha256),cbc(aes))
- Construct the shellcode payload
- Trigger the write operation to the kernel’s cached copy of “/usr/bin/su”
- Call execve(“/usr/bin/su”) to load the injected shellcode and run it as root
While the vulnerability is not remotely exploitable in isolation, a local unprivileged user can get root simply by corrupting the page cache of a setuid binary. The same primitive also has cross-container impacts as the page cache is shared across all processes on a system.
In response to the disclosure, Linux distributions have released their own advisories –
Copy Fail has its echoes in Dirty Pipe (CVE-2022-0847), another Linux kernel LPE vulnerability that could permit unprivileged users to splice data into the page cache of read-only files and ultimately overwrite sensitive files on the system to achieve code execution.
“Copy Fail is the same class of primitive, in a different…
