Copy Fail: The 732-Byte Script That Roots Every Major Linux Systems

Table of Contents

Quick Summary

Copy Fail (CVE-2026-31431) is a high-severity straight-line logic flaw in the Linux kernel that provides 100% reliable local privilege escalation and container escape on nearly every major distribution shipped since 2017.
It allows an unprivileged user to trigger a deterministic 4-byte write into the kernel’s shared page cache, enabling them to corrupt the in-memory version of a setuid binary (like /usr/bin/su) to gain root access.
Since the vulnerability targets the page cache (RAM) rather than the disk, the malicious modification is invisible to standard file integrity tools and does not persist after a reboot.
The entire exploit is a remarkably tiny 732-byte Python script that requires no compiled payloads or special dependencies and works unmodified across multiple architectures and every major Linux distribution.
Copy Fail bug is already fixed in Linux Kernel 6.18.22, 6.19.12, and 7.0 versions. If you're running older Kernels, you must update them now.

Introduction

Security researchers recently found a major flaw in the Linux kernel that grants root access on major Linux distributions since 2017. They named it Copy Fail (CVE-2026-31431).

The Copy Fail bug is quite different from most security issues. Usually, a hacker needs luck or perfect timing to break into a system. However, Copy Fail is a straight-line logic flaw. This means it works with 100% reliability every single time someone runs it.

If you use a major Linux version released since 2017, your system is likely at risk.

In this blog post, we will understand how "Copy Fail (CVE-2026-31431)" bug works and how you can fix it.

Copy Fail: 732 Bytes to Root on Every Major Linux Distribution

Most Linux bugs depend on "race conditions". These are like trying to win a sprint where the finish line keeps moving. Copy Fail does not need to win a race. It uses a tiny 732-byte Python script to gain full root access.

This bug is also very stealthy. It targets the Page Cache (RAM), which is the kernel's way of keeping file data in fast memory.

Because the bug only changes the memory version of a file, the actual file on your hard drive stays the same. As a result, standard security tools that check for file changes on the disk will see nothing wrong.

How the Copy Fail (CVE-2026-31431) Bug Works

The problem started in 2017 with a small code change meant to make the kernel faster. This change allowed the kernel to perform "in-place" encryption. This simply means the kernel used the same memory area for both the input and the output of a task.

The exploit chains three specific tools together:

The Page Cache: The kernel keeps a copy of files here for speed.
AF_ALG and splice(): These tools let a user pass a direct link to a file into the kernel's encryption system without copying the data.
The authencesn Tool: This is a part of the kernel's crypto system used for secure networking.

The trouble begins because authencesn uses its output space as a "scratch pad" to store temporary notes. Because of the 2017 mistake, those notes are written directly into the read-only memory pages of sensitive files. By choosing the right file, an attacker can overwrite four bytes of data to take over the machine.

How does the Exploit Gain Root Access?

The typical attack targets a file called /usr/bin/su. This is a special file that helps users switch to the root account. The exploit script overwrites just four bytes of this file in the system's memory.

Once the memory is corrupted, the attacker simply runs the su command. Since the kernel loads the corrupted version from its fast memory, the attacker instantly gets a root shell.

What about the root password? The attacker doesn't need the root password. Because, the version of sudo currently in the Page Cache has been modified to skip the password check. The attacker types any password (or none at all), and the kernel grants them a Root Shell.

This same trick also lets people escape containers in cloud environments like Kubernetes.

Is Your Linux Distribution Vulnerable?

The research team at Xint Code tested this bug on several major platforms. They confirmed it works on:

Ubuntu 24.04 LTS
Amazon Linux 2023
RHEL 10.1
SUSE 16

As noted in the disclosure, almost every mainstream Linux version released in the last nine years is vulnerable.

How to Remediate CVE-2026-31431

Luckily, you can fix this issue quite easily. You should take these two steps:

1. Update Your Kernel

The best fix is to update your Linux kernel package. The official fix for Copy Fail is found in mainline commit a664bf3d603d. This patch removes the 2017 "in-place" optimization. It ensures that the kernel no longer mixes read-only files with writable memory.

2. Immediate Mitigation

If you cannot update right away, you can block the bug by disabling a specific module. Run these commands as the root user:

echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf

rmmod algif_aead

Disabling this module will not break common tools like SSH or standard disk encryption.

AI Helped Find the Copy Fail Bug

The team used an AI-powered tool called Xint Code to find this flaw. Taeyang Lee, a security researcher from Theori team, gave the AI a simple hint to look at how the kernel moves file data into its encryption system. Within just one hour, the AI scanned the code and identified Copy Fail as a critical risk.

This shows how new technology can help us find hidden bugs much faster than traditional methods.

Frequently Asked Questions (FAQ)

Q: What is the Copy Fail vulnerability?

A: Copy Fail is a logic error in the Linux kernel. Experts track it as CVE-2026-31431. This flaw allows any local user to gain full root access.

Q: How Copy Fail Works?

A: By chaining the AF_ALG crypto interface with the splice() system call, an attacker can trigger a deterministic 4-byte write into the memory of any readable file (such as a setuid binary like /usr/bin/su). This enables privilege escalation and container escapes across all major Linux distributions shipped since 2017.

Q: Who Found Copy Fail Flaw?

A: The Copy Fail vulnerability was discovered by researcher Taeyang Lee from the security firm Theori.
The finding was AI-assisted, as Lee used the Xint Code security analysis platform to scale his research across the entire Linux kernel crypto subsystem.

Q: Which Linux distros are affected by Copy Fail?

A: Almost any Linux system kept running since 2017 that hasn't been patched in the last few weeks.

Q: Is Copy Fail a Permanent Flaw?

A: No, because it only affects the Page Cache (RAM), a reboot clears the "ghost" corruption. However, an attacker only needs it to work once to install a permanent backdoor.

Q: How is Copy Fail Bug fixed?

A: Kernel developers removed the "in-place" optimization. Now, the kernel is forced to make a safe copy of the data before touching it, ensuring the Page Cache remains read-only.