Linux Kernel 0-Day “Copy Fail” Roots Every Major Distribution Since 2017
Linux Kernel 0-Day “Copy Fail” Roots Every Major Distribution Since 2017
https://cybersecuritynews.com/linux-kernel-0-day-copy-fail/
Publish Date: 2026-05-01 14:58:00
Source Domain: cybersecuritynews.com
A critical zero-day vulnerability in the Linux kernel has been publicly disclosed, enabling any unprivileged local user to obtain root access on virtually every major Linux distribution shipped since 2017.
Dubbed “Copy Fail” and tracked as CVE-2026-31431, the flaw was discovered by Theori researcher Taeyang Lee and scaled into a full exploit chain by the Xint Code Research Team using AI-assisted analysis.
Copy Fail is a straight-line logic bug not a race condition in the Linux kernel’s authencesn cryptographic template, reachable via the AF_ALG socket interface combined with the splice() system call.
Unlike predecessors such as Dirty Cow (CVE-2016-5195) or Dirty Pipe (CVE-2022-0847), this vulnerability requires no race-winning, no kernel version offsets, no recompilation, and no compiled payloads.
Linux Kernel 0-Day “Copy Fail”
A single 732-byte Python script using only standard library modules achieves deterministic root on every tested distribution and architecture.
The exploit targets the kernel’s page cache, the in-memory representation of files, by triggering a controlled 4-byte write into a page cache page belonging to any file readable by the attacker.
Because the Linux kernel never marks the corrupted page as dirty for writeback, the on-disk file remains untouched, causing standard checksum-based file integrity tools to miss the modification entirely. The attacker then executes the corrupted in-memory version of a setuid binary such as /usr/bin/su, achieving root shell execution.
The vulnerability originates from a 2017 in-place optimization introduced to algif_aead.c (commit 72548b093ee3). When a user splices a file into a pipe and feeds it into an AF_ALG socket, the AEAD input scatterlist holds direct references to the kernel’s physical page cache pages of that file — not copies.
For AEAD decryption operations, algif_aead.c set req-src =…
