Concise Cyber

Subscribe below for free to get these delivered straight to your inbox

Advertisements
New Linux Copy Fail Vulnerability Lets Local Users Gain Root on Major Distributions
Advertisements

Cybersecurity researchers have detailed a high-severity Linux local privilege escalation vulnerability that can let an unprivileged local user obtain root access. Tracked as CVE-2026-31431, the flaw has been nicknamed Copy Fail by Xint.io and Theori. According to the researchers, the issue can be abused to write four controlled bytes into the page cache of any readable file on a Linux system and then use that capability to gain root.

The vulnerability has already prompted advisories from multiple Linux vendors, including Amazon Linux, Debian, Red Hat Enterprise Linux, SUSE, and Ubuntu. The source material says the weakness affects essentially all Linux distributions shipped since 2017, making it a broad concern for administrators of modern systems.

How the Copy Fail flaw works

The root cause is described as a logic flaw in the Linux kernel’s cryptographic subsystem, specifically in the algif_aead module. The issue was introduced in a source code commit made in August 2017. The source does not indicate that a remote attacker can exploit it on its own; rather, it requires a local unprivileged user and is used to corrupt the page cache of a setuid binary.

Researchers said the flaw can be exploited with a small 732-byte Python script. The attack path described in the disclosure involves opening an AF_ALG socket, binding to authencesn(hmac(sha256),cbc(aes)), constructing a shellcode payload, triggering a write to the kernel’s cached copy of /usr/bin/su, and then calling execve("/usr/bin/su") to load the injected shellcode and run it as root.

Why the issue is considered dangerous

Copy Fail is notable because it is reported to be reliable and does not require a race condition or a kernel offset. The same exploit also has cross-container impact because the page cache is shared across all processes on a system. That means the primitive can extend beyond a single container boundary and affect other workloads on the same host.

Bugcrowd’s David Brumley said the flaw is the same class of primitive as Dirty Pipe, but in a different subsystem. In his description, the 2017 optimization in algif_aead allows a page-cache page to end up in the kernel’s writable destination scatterlist for an AEAD operation submitted over an AF_ALG socket. An unprivileged process can then drive splice() into that socket and complete a small, targeted write into the page cache of a file it does not own.

What Linux users and administrators should know

The disclosed facts make this a significant local privilege escalation concern for organizations running affected Linux systems. The source material specifically notes the following points:

  • The flaw is tracked as CVE-2026-31431.
  • Its CVSS score is 7.8.
  • It is codenamed Copy Fail.
  • It can let an unprivileged local user obtain root.
  • It affects distributions shipped since 2017.
  • It has cross-container impact because the page cache is shared.
  • It is not remotely exploitable in isolation.

Linux distributions have issued their own advisories in response to the disclosure. The source material names Amazon Linux, Debian, Red Hat Enterprise Linux, SUSE, and Ubuntu among those that have responded.

Comparison with Dirty Pipe

The disclosure also draws a comparison to Dirty Pipe, a previous Linux kernel local privilege escalation flaw. Like Dirty Pipe, Copy Fail involves a primitive that can allow unprivileged users to write into the page cache of read-only files and ultimately reach code execution or higher privileges. The article’s source emphasizes that Copy Fail is similar in class, but tied to a different subsystem.

What makes Copy Fail stand out, according to the researchers, is that it is portable, tiny, stealthy, and cross-container. The source says it can be triggered reliably and works across distributions, which increases the urgency for patching and vendor guidance.

Conclusion

Copy Fail is a serious Linux local privilege escalation issue because it gives a local unprivileged user a path to root on widely used distributions. While it is not remotely exploitable by itself, the disclosed details show that it is reliable, broadly applicable, and capable of affecting shared page cache across containers. Administrators should follow vendor advisories for CVE-2026-31431 and apply updates as soon as they are available.

All articles are written here with the help of AI on the basis of openly available information which cannot be independently verified. We do strive to quote the relevant sources.The intent is only to summarise what is already reported in public forum in our own wordswith no intention to plagarise or copy other person’s work.The publisher has no intent to defame or cause offence to anyone, any person or any organisation at any moment.The publisher assumes no responsibility for any damage or loss caused by making decisions on the basis of whatever is published on cyberconcise.com.You’re advised to do your own checks and balances before making any decision, and owners and publishers at cyberconcise.com cannot be held accountable for its resulting ramifications.If you have any objections, concerns or point out anything factually incorrect, please reach out using the form on https://concisecyber.com/about/

Discover more from Concise Cyber

Subscribe now to keep reading and get access to the full archive.

Continue reading