- A critical Linux flaw allows an unprivileged local user to write to a file’s cache and escalate to root privileges.
- The vulnerability, tracked as CVE-2026-31431, affects nearly all Linux distributions released since 2017.
- Exploitation is reliable, works across containers, and can be triggered with a small 732-byte Python script.
Cybersecurity researchers from Xint.io and Theori disclosed a high-severity Linux kernel vulnerability on April 30, 2026, which a simple Python exploit can weaponize for full system control. Dubbed Copy Fail, this local privilege escalation flaw is tracked as CVE-2026-31431 with a CVSS score of 7.8.
The issue stems from a logic flaw introduced in a 2017 commit to the kernel’s algif_aead cryptographic module. Consequently, an unprivileged user can write four controlled bytes into the page cache of any readable file. This primitive enables the corruption of a setuid binary like “/usr/bin/su” to gain root access.
Successful exploitation uses a small Python script to trigger the write and execute shellcode. Meanwhile, the vulnerability’s impact is broad, affecting Amazon Linux, RHEL, SUSE, and Ubuntu distributions. The page cache is shared, so the flaw also has cross-container implications.
Researchers compare Copy Fail to the earlier Dirty Pipe vulnerability, noting a similar page cache manipulation goal. However, Copy Fail presents a unique and dangerous combination of traits. According to David Brumley of Bugcrowd, the flaw allows a writable page cache page in an AEAD operation’s scatterlist.
“This vulnerability is unique because it has four properties that almost never appear together: it’s portable, tiny, stealthy, and cross-container,” a Xint.io spokesperson stated. The flaw is reliably triggered without race conditions, making it a significant threat. Linux distributions have therefore released their own advisories in response to the disclosure.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
