A logic flaw sitting undetected in the Linux kernel for nearly nine years lets any unprivileged local user gain root access on virtually every mainstream Linux distribution shipped since 2017, security researchers at Theori said.
The vulnerability, CVE-2026-31431, is named Copy Fail and carries a severity rating of 7.8 out of 10.
It affects Ubuntu, Amazon Linux, Red Hat Enterprise Linux, SUSE, and others, spanning multiple kernel lines since 2017.
Unlike earlier high-profile Linux privilege escalation bugs such as Dirty Cow, Copy Fail requires no race condition, no kernel-version-specific offsets, and no compiled payload to exploit.
“The same exact script works on every tested distribution and architecture,” Theori’s Xint Code research team said in their technical report.
That exploit is a 732-byte Python script using only standard library modules, and it works unmodified across every distribution the researchers tested.
The root cause lies in the intersection of three independent kernel changes spanning 2011 to 2017, none of which was problematic in isolation.
A 2017 performance optimisation to algif_aead.c switched the kernel’s authenticated encryption with associated data (AEAD) cryptographic interface to in-place operation.
This meant that the same memory region served as both input and output during decryption.
As a result, cached memory pages fed into the cryptographic subsystem via splice()were left sitting inside a buffer the Linux kernel could write into.
Meanwhile, a separate component, the authencesn cryptographic template used by IPsec protocol suite for securing network traffic was already writing four bytes past its legitimate output boundary as scratch space during decryption.
Combined, the outcome is a controlled 4-byte write into the kernel’s in-memory cached copy of a setuid binary, with the attacker choosing which file, which offset, and which value.
Theori said a second part of the disclosure, covering a Kubernetes container escape built on the same primitive, is next.
The page cache is shared across all processes on a Linux host, including across container boundaries, meaning a compromised pod can potentially corrupt a setuid binary on the host node and cross Kubernetes tenant boundaries.
A fix was committed to the mainline kernel on April 1 that reverts the 2017 in-place optimisation entirely.
Organisations that cannot immediately patch should blacklist the algif_aead kernel module, a step Theori said will have no measurable impact on the vast majority of systems.
Theori said the vulnerability was found by researcher Taeyang Lee using the Xint Code artificial intelligence scanning tool.
