Researchers Warn of an Easily-Exploitable Privilege Escalation Vuln in Linux: Copy Fail
Researchers Warn of an Easily-Exploitable Privilege Escalation Vuln in Linux: Copy Fail
Publish Date: 2026-05-01 10:04:00
Source Domain: www.hackster.io
Security researchers have warned of a local privilege execution vulnerability in the Linux kernel, exploitable via a small Python script across a wide variety of distributions — and affecting kernel versions stretching back to 2017: Copy Fail.
“Most Linux LPEs [Local Privilege Execution vulnerabilities] need a race window or a kernel-specific offset. Copy Fail is a straight-line logic flaw — it needs neither,” a team from security firm Xint explains of the issue. “The same 732-byte Python script roots every Linux distribution shipped since 2017. If your kernel was built between 2017 and the patch — which covers essentially every mainstream Linux distribution — you’re in scope.”
Running Linux? Then you’re probably vulnerable to Copy Fail, a newly-discovered local privilege escalation vulnerability. (📹: Xint)
The issue at hand: a problem with a part of the kernel designed to allow applications to accelerate cryptographic operations, which can be abused to make changes to cached files in-memory — in the case of the proof-of-concept exploit shared by the Xint researchers, modifying the su binary to no longer require that a user authenticates themselves before dropping them into a root shell with complete control over the whole system.
“The write bypasses the VFS [Virtual Filesystem] path entirely; the corrupted page is never marked dirty,” the researchers explain of how stealthy the attack can be, which makes changes to files the user would normally have no permissions to access. “Nothing hits disk — on eviction or reboot, the cache reloads clean and a forensic disk image shows the original file.”
The researchers have offered a two-line mitigation for those awaiting patches. (📷: Xint)
The vulnerability itself has existed in the Linux kernel since 2017, and while the researchers privately notified the maintainers a month before publication many distributions have yet to ship a patched kernel. As a result, mitigation is required: removing the affected…
