"Copy Fail" CVE-2026-31431: 732-Byte Python Script Roots Every Major Linux Distribution Since 2017 (April 29, 2026)
On April 29, 2026, Theori and the Xint Code Research Team publicly disclosed CVE-2026-31431, a nine-year-old logic flaw in the Linux kernel's algif_aead cryptographic template that lets a 732-byte Python script obtain root on essentially every Linux distribution shipped since 2017.
On , Theori researcher Taeyang Lee and the Xint Code Research Team publicly disclosed CVE-2026-31431 — dubbed "Copy Fail" — a logic bug in the Linux kernel's algif_aead cryptographic template that lets any unprivileged local user obtain root on essentially every major Linux distribution shipped since August 2017. A self-contained 732-byte Python script triggers a deterministic four-byte write into the page cache of any readable file, edits a setuid binary in place, and returns a root shell within seconds.
What Happened
Theori reported the flaw to the Linux kernel security team on . Patches were committed to mainline on , the CVE was assigned on , and the embargo lifted on with a coordinated disclosure across the kernel security list, CERT-EU, Wiz, Sysdig, Tenable and a dedicated landing page at copy.fail. Red Hat assigned a CVSSv3 base score of 7.8 (High); Wiz, Sysdig and several distribution vendors flagged it operationally as critical because the exploit is reliable, distribution-agnostic, and works inside containers as a host-escape primitive.
The bug originates in a 2017 commit to crypto/algif_aead.c that mishandles a partial copy boundary in the AEAD socket interface. The result is a controlled four-byte write into a page-cache page of any file the attacker can read. Because the page cache backs every file on the system, including setuid binaries that are world-readable, the attacker can patch a one-instruction window into /usr/bin/su or similar, execute it, and inherit root. There is no race, no kernel-offset guess, no ASLR bypass — the same 732-byte script works unmodified across Ubuntu, Debian, Fedora, RHEL, AlmaLinux, Rocky Linux, Arch, openSUSE, and the major cloud kernels.
Key Details
- CVE: CVE-2026-31431, CVSSv3 base score 7.8 (High), category local privilege escalation.
- Affected: every mainline Linux kernel built since August 2017 with
CONFIG_CRYPTO_USER_API_AEADenabled — which is essentially every distribution kernel. - Exploit: a 732-byte Python script published with the disclosure. Triggers a deterministic 4-byte write into the page cache and patches a setuid binary in place.
- Container impact: Wiz and Sysdig confirm the exploit works from inside an unprivileged container as a host escape and Kubernetes-node compromise primitive.
- Patches landed: AlmaLinux 8 in
kernel-4.18.0-553.121.1.el8_10, AlmaLinux 9 inkernel-5.14.0-611.49.2.el9_7, AlmaLinux 10 inkernel-6.12.0-124.52.2.el10_1; Ubuntu, Debian, Fedora and SUSE shipped kernel updates within 24 hours of disclosure. KernelCare distributed live patches the same day. - Discovery method: partially AI-assisted. Theori credits its in-house static analysis tool Xint Code with surfacing the candidate path that Lee then exploited manually.
What Developers and Operators Are Saying
Reaction on Hacker News and Reddit's r/netsec has been a mixture of admiration for the exploit's elegance and unease at the disclosure timing. Top-voted HN comments noted that the bug shipped in 2017, sat in the tree for nine years, and was found in part by an AI-assisted scanner — a combination that suggests a coming wave of similar nine-year-old kernel bugs is now mathematically likely. Several Kubernetes operators reported needing to coordinate emergency node-image rebuilds; cloud providers including AWS, GCP and Azure pushed managed-kernel updates within hours. The widely shared Wiz blog post by Shir Tamari called Copy Fail "the cleanest universal Linux LPE we have seen since Dirty Pipe," and Tenable's analysis emphasised that no public exploitation was observed before disclosure.
What This Means for Developers
If you operate Linux servers, Kubernetes nodes or CI/CD runners, treat this as a same-day patching event. The exploit is public, reliable, and works from inside an unprivileged container — meaning any tenant on a multi-tenant Kubernetes cluster running an unpatched kernel can compromise the host. CERT-EU's official guidance recommends prioritising Kubernetes nodes and CI runners. KernelCare, kpatch and Ubuntu's Livepatch all support this fix without a reboot, so the operational excuse for waiting is thin. For application developers, there is no application-level workaround — the only mitigation is updating the kernel.
What's Next
The mainline patch series is in stable backports across 5.4, 5.10, 5.15, 6.1, 6.6 and 6.12 LTS branches. Theori's full technical write-up at xint.io is the primary reference. CISA is expected to add CVE-2026-31431 to its Known Exploited Vulnerabilities catalog if in-the-wild exploitation surfaces — historically a 7-to-14-day window after disclosure of a universal LPE of this caliber.
Sources
- copy.fail — official disclosure landing page from Theori and Xint Code
- Xint — Copy Fail: 732 Bytes to Root on Every Major Linux Distribution — technical write-up
- Help Net Security — Nine-year-old Linux kernel flaw enables reliable local privilege escalation
- Wiz — Copy Fail: Universal Linux Local Privilege Escalation Vulnerability
- Sysdig — "Copy Fail" Linux kernel flaw lets local users gain root in seconds
- The Hacker News — New Linux "Copy Fail" Vulnerability Enables Root Access
- Tenable — Copy Fail (CVE-2026-31431) FAQ
- CERT-EU — High Vulnerability in the Linux Kernel ("Copy Fail")
- AlmaLinux — Copy Fail patch ready for testing
Stay up to date with Doolpa
Subscribe to Newsletter →