Almost each Linux distribution launched since 2017 is at present susceptible to a safety bug known as “Copy Fail” that permits any consumer to provide themselves administrator privileges. The exploit, publicly disclosed as CVE-2026-31431 on Wednesday, makes use of a Python script that works throughout all the susceptible Linux distributions, requiring “no per-distro offsets, no model checks, no recompilation,” in line with Theori, the safety agency that uncovered it.
Ars Technica factors out this weblog submit the place DevOps engineer Jorijn Schrijvershof explains that what makes Copy Fail “unusually nasty” is the chance for it to go unnoticed by monitoring instruments: “Web page-cache corruption by no means marks the web page soiled. The kernel’s writeback equipment by no means flushes the modified bytes again to disk.” Consequently, “AIDE, Tripwire, OSSEC and any monitoring device that compares on-disk checksums see nothing.”
Copy Fail was recognized by Theori’s researchers with help from their Xint Code AI device. Based on a weblog submit, Taeyang Lee had an thought of wanting into the crypto subsystem of Linux and created this immediate to run an automatic scan that recognized a number of vulnerabilities in “about an hour.”
“That is the linux crypto/ subsystem. Please look at all codepaths reachable from userspace syscalls. Observe one key remark: splice() can ship page-cache references of read-only information (together with setuid binaries) to crypto TX scatterlists.”
Based on the exploit’s disclosure web page, a patch for Copy Fail was added to the mainline Linux kernel on April 1st. Nonetheless, as Ars Technica notes, the researchers who recognized Copy Fail revealed the main points of the exploit publicly earlier than all the affected distributions might launch patches for it. Some distros, together with Arch Linux, RedHat Fedora, and Amazon Linux, have launched patches, however many others weren’t instantly in a position to handle the problem.
