Copy Fail: New Linux bug enables Root via page‑cache corruption
April 30, 2026 
Linux flaw CVE‑2026‑31431, ‘Copy Fail,’ lets any local user write four bytes into page cache files, enabling easy escalation to root on major distros.
Xint Code researchers warn of a serious Linux flaw, tracked as CVE-2026-31431 (CVSS score of 7.8), dubbed Copy Fail. It lets any local, unprivileged user write four controlled bytes into the page cache of any readable file, enabling escalation to root on major distributions.
The bug combines AF_ALG and splice() to write 4 bytes into the page cache of any readable file. A 732-byte script can modify a setuid binary in memory, without changing the file on disk, making detection difficult. The issue affects major distributions like Ubuntu, RHEL, SUSE, and Amazon Linux, and can even cross container boundaries due to shared page cache.
“Copy Fail (CVE-2026-31431) is a logic bug in the Linux kernel’s authencesn cryptographic template. It lets an unprivileged local user trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system.” reads the report published by Xint Code. “A single 732-byte Python script can edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017.“
Copy Fail exploits a kernel logic flaw where corrupted page‑cache data is never marked dirty, leaving disk files unchanged while the in‑memory version is silently altered. Because the page cache is what processes read, an unprivileged user can corrupt a setuid binary’s cached page and gain root. The shared cache also lets the attack cross container boundaries. The bug, surfaced through AI‑assisted analysis of crypto‑subsystem behavior, is portable, tiny, race‑free, and stealthy, unlike Dirty Cow or Dirty Pipe. It works across major distros and architectures and forms the basis for both local privilege escalation and Kubernetes container escapes.
The bug starts in AF_ALG, which lets any user access the kernel crypto subsystem without privileges. Attackers use splice() to map file page cache pages directly into a crypto scatterlist, so operations act on real file-backed memory. During AEAD decryption, the kernel sets the operation in-place, mixing user buffers with page cache pages in one writable structure.
The authencesn algorithm breaks expectations: it uses the output buffer as scratch space and writes 4 bytes past the allowed boundary. In this setup, that write lands directly in the page cache of a chosen file. Attackers control the file, offset, and value, enabling precise memory corruption and privilege escalation.
This flaw emerged from combined changes over years, authencesn design, AF_ALG support, and a 2017 in-place optimization, creating a long-hidden but critical vulnerability.
The exploit targets /usr/bin/su, a common setuid-root binary on Linux systems.
- First, the attacker opens an AF_ALG socket and binds it to the vulnerable authencesn AEAD mode. No privileges are required. The attacker sets a cryptographic key and creates a request socket.
- Next, the attacker prepares each 4-byte write. The AAD carries the exact 4-byte value to inject, while splice() maps page cache pages from the target file into the crypto operation. Carefully chosen parameters force the kernel to treat a specific offset inside
/usr/bin/suas writable memory. - Then the attacker triggers recv(), which runs the decrypt operation. The kernel reads AAD data, performs the authencesn scratch write, and copies 4 bytes into the page cache of the target binary. The HMAC fails, but the corrupted memory remains. The process repeats until enough shellcode is injected into the cached binary.
- Finally, the attacker runs
execve("/usr/bin/su"). The kernel loads the modified version from the page cache instead of disk. Since su runs with setuid-root privileges, the injected code executes as root, giving full system control.
The researchers published a demo showing the same 732-byte exploit run on four Linux distributions, where a normal user (uid 1001) consistently gains root access. Tested systems include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, covering kernel versions 6.12 to 6.18, all successfully compromised.
“If your kernel was built between 2017 and the patch — which covers essentially every mainstream Linux distribution — you’re in scope.” the researchers wrote. “Copy Fail requires only an unprivileged local user account — no network access, no kernel debugging features, no pre-installed primitives. The kernel crypto API (AF_ALG) ships enabled in essentially every mainstream distro’s default config, so the entire 2017 → patch window is in play out of the box.”
The researchers published a PoC to allow defenders to verify their own systems and validate vendor patches.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Linux)
