An exploit for the “Copy Fail” safety vulnerability (CVE-2026-31431) within the Linux kernel has been made public. The vulnerability impacts all main Linux distributions launched since 2017 and grants attackers with out administrator privileges full root entry. Patches can be found in new kernel variations; those that haven’t but patched can disable the algif_aead module as a mitigation measure. The vulnerability, disclosed earlier than a repair was prepared, has prompted frustration throughout the Linux neighborhood.
A public proof-of-concept was launched yesterday. The vulnerability, registered as CVE-2026-31431 and found by safety agency Theori, is current in all main Linux distributions launched since 2017.
Theori discovered the flaw utilizing its AI-driven penetration testing platform, Xint Code, which scanned the kernel’s crypto subsystem in about an hour. The invention was reported to the Linux kernel safety group on March 23; patches adopted inside per week.
4 bytes that change all the pieces
The basis of the issue lies within the Linux kernel’s “authencesn” cryptographic template. By combining the AF_ALG socket interface with the splice() system name, an unprivileged consumer can write 4 managed bytes to the web page cache of any readable file, fairly than to a traditional buffer. If these 4 bytes land on a setuid-root binary, the attacker can alter its habits and achieve root privileges.
The flaw was launched in 2017, when the Linux kernel group added an “in-place” optimization to the crypto path in kernel model 4.14. This prompted the kernel to start out reusing the identical buffer as an alternative of preserving enter and output strictly separated.
The incident sparked frustration amongst builders and contributors to the Linux kernel and distributions. One user known as it a “catastrophe” and mentioned it was “extraordinarily irresponsible” to display the vulnerability as a proof-of-concept earlier than the patches have been rolled out.
Extra Harmful Than Soiled Pipe
Theori compares Copy Fail to the notorious Dirty Pipe vulnerability from 2022, however calls the brand new vulnerability extra sensible and broadly relevant. The 732-byte Python exploit works constantly on Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16. Copy Fail can be much less prone to timing and race circumstances than Soiled Pipe, leading to an estimated 100% success charge for the exploit.
With such a excessive success charge, implementing the short-term repair is crucial, as is patching as quickly as an replace turns into out there. Usually, such a vulnerability ought to have been reported to the linux-distros mailing list on OpenWall. The truth that this didn’t occur creates a a lot better threat of precise exploitation.
Patches and short-term mitigation
CVE-2026-31431 was already patched upstream on April 1 by reverting the problematic crypto optimization. Fixes can be found in kernel variations 6.18.22, 6.19.12, and seven.0. Main Linux distributions are rolling out the replace by way of kernel updates, although researchers report that no official advisory for CVE-2026-31431 exists but. Those that haven’t but obtained the patch can disable the algif_aead module as a short lived measure. Theori recommends patching multi-tenant Linux hosts, Kubernetes clusters, CI runners, and cloud SaaS techniques as quickly as potential.