Linux 'Copy Fail' bug gives root on 9 years of systems

A high-severity vulnerability in the Linux kernel, dubbed “Copy Fail,” allows any local user to gain full root privileges with a 732-byte Python script, affecting nearly every major distribution including Red Hat, Ubuntu, and SUSE released since 2017. The flaw, tracked as CVE-2026-31431 with a CVSS score of 7.8, impacts a vast portion of cloud infrastructure, including millions of Kubernetes clusters and shared hosting environments.

"This is a trivially exploitable logic bug," cybersecurity firm Xint Code said in a post on X, noting that the same small, portable Python script works across all tested platforms without modification. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities catalog on May 1, warning it poses "significant risks to the federal enterprise."

The vulnerability stems from a logic error introduced in a 2017 kernel optimization. By chaining together standard system calls, an attacker can perform a controlled 4-byte write into the kernel’s page cache—an area of RAM where the system keeps temporary copies of files for quick access. This allows the in-memory version of a privileged program, such as /usr/bin/su, to be corrupted without altering the file on disk, making the intrusion invisible to most file-integrity monitoring tools.

The exploit’s reliability and simplicity make it a critical threat to multi-tenant environments. Microsoft Defender researchers noted its potential to facilitate container breakouts and lateral movement, as an attacker with a foothold in one container could compromise the entire host node. The attack requires an initial local access vector, but once achieved, escalation to root is deterministic.

How a 9-Year-Old Kernel Bug Enables Container Escapes

The core of CVE-2026-31431 lies in the kernel's cryptographic subsystem, specifically the algif_aead module. A 2017 change designed to improve performance by reusing memory for in-place cryptographic operations failed to account for a specific error-handling path. Researchers at Theori, who privately disclosed the bug to the Linux kernel team on March 23, found that this oversight could be abused to write four bytes of arbitrary data into the page cache of any readable file.

Because containers on a single host share the same kernel, they also share the same page cache. An unprivileged process in one container can therefore use the Copy Fail exploit to modify the in-memory representation of a sensitive binary used by the host or other containers. When that binary is next executed, it runs with the attacker's modifications, granting root access and effectively breaking all container isolation boundaries. This makes any initial compromise of a container, such as through a vulnerable web application, a potential full-system compromise.

Mitigation Available as Patches Roll Out

The Linux kernel security team committed a patch to the mainline branch on April 1 that reverts the flawed 2017 optimization. While fully patched kernels are rolling out, many distributions use older long-term support (LTS) kernels and must backport the fix, a process that takes time. In response, major distributors have issued immediate mitigation measures.

For Ubuntu and its derivatives, an update to the kmod package blocks the vulnerable algif_aead module from being loaded. Administrators can apply this fix by running sudo apt update && sudo apt upgrade and rebooting. For systems where an immediate update is not possible, the module can be manually disabled by adding the line install algif_aead /bin/false to a file in /etc/modprobe.d/. Red Hat noted this mitigation may have a minor performance impact on tasks requiring kernel cryptographic features, but it fully prevents exploitation.

This article is for informational purposes only and does not constitute investment advice.