Yesterday, Theori disclosed CVE-2026-31431, dubbed Copy Fail, a Linux kernel vulnerability that allows any unprivileged local user to gain root access on virtually every major Linux distribution shipped since 2017.
In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead – Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.
Uzair Gadit, CEO and Founder of Secure.com, offers perspective and advice:
“The exploit is a fairly simple 732-byte Python script. The implications are far more significant than another critical CVE, because if your kernel was built between 2017 and the patch, you’re in scope, which likely covers essentially every mainstream Linux distribution.
“The risk is highest in any environments where namespace isolation (which containers provide) is assumed to be sufficient to protect tenants from one another. The boundaries that hold are the ones that don’t share a kernel. For example, AWS Lambda and Fargate run on Firecracker microVMs, with separate kernels per tenant and no shared page cache. Cloudflare Workers run on V8 isolates, with no Linux kernel in the threat model at all. gVisor interposes a user-space kernel that does not share the host’s algif_aead.
“That said, development infrastructures, cloud and containerization, CI/CD pipelines and serverless and sandboxing environments are all at risk.
“What matters even more than the vulnerability itself is how it was found. An AI system discovered a nine-year-old logic flaw in just about an hour.
“Affected organizations should immediately patch their kernel. The official fix (commit a664bf3d603d) reverts algif_aead.c to out-of-place AEAD operation, permanently separating the TX scatterlist (which may contain page cache pages) from the RX scatterlist (the user’s output buffer).
The patch should be immediately done through the distribution’s update channel, including
· Ubuntu: kernel security updates
· RHEL: RHSA advisories
· SUSE: SUSE Security Updates
· Amazon Linux: Amazon Linux Security Center
“Any organization that cannot patch immediately should disable the vulnerable module.”
Ryan McCurdy, VP, Liquibase:
What makes Copy Fail different is not just the bug itself, it is the combination of reach and discovery speed. The disclosure suggests a single short Python script can turn a normal local user into root across a wide range of Linux systems shipped since 2017, including environments like CI runners and container hosts that many organizations rely on every day. The other wake-up call is how it was found. If AI-assisted tooling can surface a bug like this in about an hour, the gap between unknown vulnerability and practical exploit is shrinking fast. That means the real challenge is no longer just finding flaws. It is whether enterprises can patch, isolate, and reduce blast radius quickly enough when vulnerability discovery starts moving at machine speed. “
Noelle Murata, Chief Operating Officer, Xcape, Inc.:
“Paste Tense: From Clipboard Tricks to Kernel Root
“Copy Fail is a critical logic flaw in the Linux page cache that lets an unprivileged user gain root access with a simple script. Please patch this across the fleet immediately. While the name originally poked fun at terminal pastejacking, the 2026 reality is a high-severity Local Privilege Escalation (LPE) that breaks fundamental memory isolation by tricking the kernel into mismanaging file-backed pages. This is a silent threat because it requires no complex heap grooming or Return-Oriented Programming (ROP) chains, making it highly reliable for attackers who have already gained a foothold via web shells or compromised containers. Beyond the kernel patch, security leaders should treat this as a catalyst to audit terminal configurations for Bracketed Paste Mode, which serves as a secondary defense against older clipboard-injection-style Copy Fail attacks. Prioritize updates for public-facing Linux servers and developer workstations, as these are the primary targets for the initial access required to trigger this exploit.
“Because apparently, in 2026, even “control-C” is a high-risk activity.”
Rajeev Raghunarayan, Head of GTM at Averlon:
“Copy Fail is notable because it turns a local Linux kernel issue into a broadly portable privilege-escalation primitive. A small, reliable exploit that works across major distributions without race conditions, user interaction, or heavy customization makes it much easier to operationalize at scale.
“The real risk shows up in shared environments. In Kubernetes clusters, CI pipelines, and other systems running untrusted code, a local privilege escalation can become a stepping stone to compromising the underlying host or moving beyond the initial workload. That’s what makes this more than just another kernel CVE. Organizations should prioritize patching and, where that’s not immediately possible, restrict access to the affected kernel interfaces, especially in shared and containerized environments.”
Jacob Krell, Senior Director, Secure AI Solutions and Cybersecurity, Suzu Labs:
”Copy Fail is qualitatively different from the steady stream of Linux kernel privilege escalation disclosures. Most LPEs require a race condition, a narrow kernel version, or complex heap grooming. This one needs none of that. Theori demonstrated a 732-byte Python exploit with no external dependencies that reliably gains root on major distributions running affected kernels shipped since 2017. The exposed surface is the kernel crypto API, specifically AF_ALG and algif_aead, enabled by default in most environments and rarely treated by enterprises as meaningful attack surface. Any environment where untrusted users or workloads share a kernel, whether container clusters, CI runners, or multi-tenant hosts, should treat this as urgent. Once local code execution becomes root, container and host level isolation assumptions degrade quickly.
“The discovery method matters as much as the vulnerability itself. Theori reports that AI assisted tooling surfaced the flaw in roughly an hour of scanning against the Linux crypto subsystem. That is the real signal. Vulnerability research is entering a wild west era where discovery cycles are shorter, exploit development friction is lower, and the volume of high impact findings will outpace most organizations’ capacity to remediate. Defenders should expect the interval between “unknown,” “public,” and “weaponized” to keep compressing.”
If you run LINUX on any scale, you should be taking action ASAP. This website goes into the weeds and offers very good guidance on what you need to do.
Copy Fail Linux vuln allows root access
Posted in Commentary with tags LINUX on April 30, 2026 by itnerdYesterday, Theori disclosed CVE-2026-31431, dubbed Copy Fail, a Linux kernel vulnerability that allows any unprivileged local user to gain root access on virtually every major Linux distribution shipped since 2017.
In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead – Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.
Uzair Gadit, CEO and Founder of Secure.com, offers perspective and advice:
“The exploit is a fairly simple 732-byte Python script. The implications are far more significant than another critical CVE, because if your kernel was built between 2017 and the patch, you’re in scope, which likely covers essentially every mainstream Linux distribution.
“The risk is highest in any environments where namespace isolation (which containers provide) is assumed to be sufficient to protect tenants from one another. The boundaries that hold are the ones that don’t share a kernel. For example, AWS Lambda and Fargate run on Firecracker microVMs, with separate kernels per tenant and no shared page cache. Cloudflare Workers run on V8 isolates, with no Linux kernel in the threat model at all. gVisor interposes a user-space kernel that does not share the host’s algif_aead.
“That said, development infrastructures, cloud and containerization, CI/CD pipelines and serverless and sandboxing environments are all at risk.
“What matters even more than the vulnerability itself is how it was found. An AI system discovered a nine-year-old logic flaw in just about an hour.
“Affected organizations should immediately patch their kernel. The official fix (commit a664bf3d603d) reverts algif_aead.c to out-of-place AEAD operation, permanently separating the TX scatterlist (which may contain page cache pages) from the RX scatterlist (the user’s output buffer).
The patch should be immediately done through the distribution’s update channel, including
· Ubuntu: kernel security updates
· RHEL: RHSA advisories
· SUSE: SUSE Security Updates
· Amazon Linux: Amazon Linux Security Center
“Any organization that cannot patch immediately should disable the vulnerable module.”
Ryan McCurdy, VP, Liquibase:
What makes Copy Fail different is not just the bug itself, it is the combination of reach and discovery speed. The disclosure suggests a single short Python script can turn a normal local user into root across a wide range of Linux systems shipped since 2017, including environments like CI runners and container hosts that many organizations rely on every day. The other wake-up call is how it was found. If AI-assisted tooling can surface a bug like this in about an hour, the gap between unknown vulnerability and practical exploit is shrinking fast. That means the real challenge is no longer just finding flaws. It is whether enterprises can patch, isolate, and reduce blast radius quickly enough when vulnerability discovery starts moving at machine speed. “
Noelle Murata, Chief Operating Officer, Xcape, Inc.:
“Paste Tense: From Clipboard Tricks to Kernel Root
“Copy Fail is a critical logic flaw in the Linux page cache that lets an unprivileged user gain root access with a simple script. Please patch this across the fleet immediately. While the name originally poked fun at terminal pastejacking, the 2026 reality is a high-severity Local Privilege Escalation (LPE) that breaks fundamental memory isolation by tricking the kernel into mismanaging file-backed pages. This is a silent threat because it requires no complex heap grooming or Return-Oriented Programming (ROP) chains, making it highly reliable for attackers who have already gained a foothold via web shells or compromised containers. Beyond the kernel patch, security leaders should treat this as a catalyst to audit terminal configurations for Bracketed Paste Mode, which serves as a secondary defense against older clipboard-injection-style Copy Fail attacks. Prioritize updates for public-facing Linux servers and developer workstations, as these are the primary targets for the initial access required to trigger this exploit.
“Because apparently, in 2026, even “control-C” is a high-risk activity.”
Rajeev Raghunarayan, Head of GTM at Averlon:
“Copy Fail is notable because it turns a local Linux kernel issue into a broadly portable privilege-escalation primitive. A small, reliable exploit that works across major distributions without race conditions, user interaction, or heavy customization makes it much easier to operationalize at scale.
“The real risk shows up in shared environments. In Kubernetes clusters, CI pipelines, and other systems running untrusted code, a local privilege escalation can become a stepping stone to compromising the underlying host or moving beyond the initial workload. That’s what makes this more than just another kernel CVE. Organizations should prioritize patching and, where that’s not immediately possible, restrict access to the affected kernel interfaces, especially in shared and containerized environments.”
Jacob Krell, Senior Director, Secure AI Solutions and Cybersecurity, Suzu Labs:
”Copy Fail is qualitatively different from the steady stream of Linux kernel privilege escalation disclosures. Most LPEs require a race condition, a narrow kernel version, or complex heap grooming. This one needs none of that. Theori demonstrated a 732-byte Python exploit with no external dependencies that reliably gains root on major distributions running affected kernels shipped since 2017. The exposed surface is the kernel crypto API, specifically AF_ALG and algif_aead, enabled by default in most environments and rarely treated by enterprises as meaningful attack surface. Any environment where untrusted users or workloads share a kernel, whether container clusters, CI runners, or multi-tenant hosts, should treat this as urgent. Once local code execution becomes root, container and host level isolation assumptions degrade quickly.
“The discovery method matters as much as the vulnerability itself. Theori reports that AI assisted tooling surfaced the flaw in roughly an hour of scanning against the Linux crypto subsystem. That is the real signal. Vulnerability research is entering a wild west era where discovery cycles are shorter, exploit development friction is lower, and the volume of high impact findings will outpace most organizations’ capacity to remediate. Defenders should expect the interval between “unknown,” “public,” and “weaponized” to keep compressing.”
If you run LINUX on any scale, you should be taking action ASAP. This website goes into the weeds and offers very good guidance on what you need to do.
1 Comment »