A critical Linux kernel zero-day vulnerability, dubbed 'Copy.Fail' (CVE-2026-31431), has been publicly disclosed, enabling local privilege escalation (LPE) to root across nearly all Linux distributions since 2017. This flaw, discovered by Theori's Xint Code AI system in approximately one hour, presents a formidable threat due to its extreme reliability and stealthy execution, bypassing traditional disk forensics by only corrupting in-memory page cache. Exploitation is already underway, with public Python scripts widely available, making immediate patching and mitigation critical for at-risk environments like Kubernetes clusters and CI/CD pipelines.
What Happened
The Copy.Fail Linux kernel zero-day, tracked as CVE-2026-31431, was publicly disclosed, revealing a local privilege escalation (LPE) flaw that grants unprivileged local users root access. The vulnerability affects virtually all major Linux distributions released since 2017, including Ubuntu, Amazon Linux, RHEL, and SUSE, as noted by ThreatLocker. Its discovery by Theori's AI system, Xint Code, in roughly 60 minutes using a single prompt against the Linux crypto subsystem, marks a significant acceleration in exploit hunting capabilities, as reported by Cyberscoop.
The exploit itself leverages a logical flaw in the Linux kernel's AF_ALG AEAD (authenticated encryption with associated data) handling. This allows page-cache-backed file pages to be chained into a writable scatterlist during an in-place decryption operation. Subsequently, the authencesn algorithm performs a 4-byte scratch write beyond its intended output boundary, corrupting the in-memory page cache of a readable file without modifying the file on disk, making detection challenging for conventional disk forensics, according to SecurityWeek. A public 732-byte Python script demonstrates this exploit's viability on multiple distributions, prompting urgent action.
Why It Matters
The Copy.Fail vulnerability is alarmingly reliable, functioning consistently across mainstream Linux distributions without requiring race conditions, kernel address leaks, or distribution-specific behaviors, as highlighted by ThreatLocker. This consistent reliability makes it a high-value asset, commanding a significantly higher price on the grey market if found by human researchers, according to Cyberscoop.
Key risks associated with Copy.Fail include container escapes in compromised containers to the host, rooting malicious CI jobs, and making shared infrastructure vulnerable across tenants. Environments particularly at high risk include Kubernetes clusters, CI/CD systems, shared development environments, and cloud notebook platforms. OVHcloud has already begun preparing patched MKS versions for their Kubernetes clusters, with expected availability around April 30, 2026, as stated in their advisory. They've also provided a DaemonSet manifest for immediate mitigation in MKS clusters while official patches are awaited. The exploit underscores the fundamental weakness of traditional, detection-based security controls against unknown threats, emphasizing the need for a Zero Trust approach, like that offered by Cloudflare Zero Trust, which denies anything not explicitly approved.
Technical Breakdown
The core of CVE-2026-31431 lies in a logical flaw within the Linux kernel's AF_ALG AEAD (Authenticated Encryption with Associated Data) implementation. When an unprivileged local user initiates an in-place decryption operation on a file page, the vulnerability allows this page-cache-backed file page to be inadvertently chained into a writable scatterlist. This shouldn't happen for a read-only page.
Consider this like giving someone a copy of a sensitive document (the file page) to read, but mistakenly providing them with a special pen (the writable scatterlist) that can subtly alter the original document's in-memory version without touching the physical paper itself. Specifically, the authencesn algorithm, part of the crypto subsystem, then attempts a decryption. During this process, it performs a small 4-byte scratch write that unintentionally extends beyond its designated output boundary. This overflow directly corrupts the in-memory page cache of a readable file. Crucially, this memory corruption does not modify the file on disk. Attackers can exploit this to temporarily hijack binaries, such as /usr/bin/su, allowing a normal user to become root by subtly altering the execution flow of these critical binaries in memory. This is a classic local T1068 Exploitation for Privilege Escalation scenario. To defend against such low-level kernel exploits, robust configuration management (NIST SP 800-53 CM-6 Configuration Settings) is vital, ensuring kernel parameters and module loading are tightly controlled.
Historical Context
The Copy.Fail vulnerability shares similarities with the Dirty Pipe flaw (CVE-2022-0847), discovered in March 2022. Both were local privilege escalation vulnerabilities in the Linux kernel that allowed an unprivileged user to overwrite data in arbitrary read-only files, ultimately leading to root access. Dirty Pipe exploited a flaw in how pipes were handled, allowing data injection.
However, a key difference with Copy.Fail is its AI-driven discovery in a remarkably short timeframe, approximately one hour, by Theori's Xint Code, as detailed by ThreatLocker. Dirty Pipe was discovered by human researcher Max Howell. This rapid, automated discovery points to a significant shift in exploit hunting capabilities. Furthermore, Copy.Fail's exploitation method, which only alters RAM and bypasses disk forensics, offers a stealthier attack vector than Dirty Pipe, which could leave traces on disk under certain conditions. The widespread impact across virtually all Linux distributions since 2017 is also reminiscent of Dirty Pipe's broad reach.
Data at a Glance
| Metric | Value | Source |
|---|---|---|
| CVE ID | CVE-2026-31431 | Bugcrowd |
| AI Discovery Time | 1 hour | ThreatLocker |
| Affected Linux Versions | Since 2017 | ThreatLocker |
| OVHcloud Patch ETA | April 30, 2026 | OVHcloud |
| Exploit Script Size | 732 bytes (Python) | SecurityWeek |
Our Take
We view the Copy.Fail zero-day as a critical bellwether, not just another LPE. The discovery by an AI in such a short timeframe fundamentally changes the economics of exploit research and the speed at which we can expect sophisticated vulnerabilities to emerge. Its reliability across nearly all recent Linux distributions without race conditions or leaks, coupled with its RAM-only persistence, makes it an exceptionally dangerous primitive for container escape and shared environment compromise. This isn't just a patch priority; it's a re-evaluation of how quickly our defensive postures can adapt to AI-accelerated threats.
The CVEDaily Take
The speed and efficacy of Xint Code in discovering Copy.Fail should be a wake-up call for every security team managing Linux fleets. This isn't theoretical AI threat modeling; it's operationalized exploit generation, and the impact is a highly reliable, stealthy privilege escalation. Have your teams begun exploring static analysis tools or fuzzers for similar kernel primitives, perhaps even AI-driven ones?
FAQ
Q: What specific Linux versions are affected by Copy.Fail?
A: Copy.Fail affects virtually all major Linux distributions released since 2017, including Ubuntu, Amazon Linux, RHEL, and SUSE, as confirmed by ThreatLocker.
Q: How does the Copy.Fail exploit avoid disk forensics?
A: The exploit works by corrupting the in-memory page cache of a readable file without modifying the actual file on disk. This means traditional disk-based forensic tools won't detect the compromise, making incident response significantly harder.
Q: What immediate mitigations are available for Kubernetes clusters?
A: For OVHcloud MKS clusters, a DaemonSet manifest has been provided for immediate mitigation while awaiting official patches. Generally, implementing Zero Trust principles, like those enforced by SentinelOne endpoints, can help prevent unapproved processes from gaining elevated privileges, even with an active exploit.
