top of page
perceptive_background_267k.jpg

New Linux 'Copy Fail' Vulnerability Enables Root Access on Major Distributions

Published:

30 april 2026 om 09:24:00

Alert date:

30 april 2026 om 10:00:49

Source:

thehackernews.com

Click to open the original link from this advisory

Operating Systems, Zero-Day Vulnerabilities

A high-severity local privilege escalation vulnerability in Linux systems has been discovered, tracked as CVE-2026-31431 with CVSS score 7.8. Dubbed 'Copy Fail' by researchers at Xint.io and Theori, the flaw allows unprivileged local users to gain root access on major Linux distributions. The vulnerability enables attackers to write four controlled bytes into the page cache of any readable file on the system, leading to privilege escalation. This affects multiple major Linux distributions and poses significant security risks for Linux-based systems.

Technical details

Copy Fail is a Linux local privilege escalation vulnerability that stems from a logic flaw in the Linux kernel's cryptographic subsystem, specifically within the algif_aead module. The issue was introduced in August 2017. An unprivileged local user can write four controlled bytes into the page cache of any readable file on a Linux system. The exploit involves opening an AF_ALG socket, binding to authencesn(hmac(sha256),cbc(aes)), constructing shellcode payload, triggering write operation to kernel's cached copy of /usr/bin/su, and calling execve to load injected shellcode as root. The vulnerability allows corruption of page cache of setuid binaries and has cross-container impacts as page cache is shared across all processes. A 732-byte Python script can reliably exploit this without race conditions or kernel offsets.

Mitigation steps:

Check and apply security updates from your Linux distribution vendor. Review the specific advisories released by Amazon Linux, Debian, Red Hat Enterprise Linux, SUSE, and Ubuntu for patch information and mitigation steps.

Affected products:

Linux kernel (versions since August 2017)
Amazon Linux
Red Hat Enterprise Linux (RHEL)
SUSE
Ubuntu
Debian
algif_aead module

Related links:

https://www.cve.org/CVERecord?id=CVE-2026-31431
https://copy.fail/
https://xint.io/blog/copy-fail-linux-distributions
https://github.com/torvalds/linux/commit/72548b093ee3
https://explore.alas.aws.amazon.com/CVE-2026-31431.html
https://security-tracker.debian.org/tracker/CVE-2026-31431
https://access.redhat.com/security/cve/cve-2026-31431
https://www.suse.com/security/cve/CVE-2026-31431.html
https://ubuntu.com/security/CVE-2026-31431
https://thehackernews.com/2022/03/researchers-warn-of-linux-kernel-dirty.html
https://www.bugcrowd.com/blog/what-we-know-about-copy-fail-cve-2026-31431/

Related CVE's:

Related threat actors:

IOC's:

732-byte Python exploit script, AF_ALG socket usage with authencesn(hmac(sha256),cbc(aes)), Targeting /usr/bin/su binary, execve("/usr/bin/su") execution pattern

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page