Linux Privilege Escalation Flaw Copy Fail Threatens Major Distributions

Linux privilege escalation flaw CVE-2026-31431, named Copy Fail, allows local users to gain root access on Ubuntu, RHEL, Debian, and other systems

Cybersecurity researchers have revealed a dangerous new Linux privilege escalation flaw that could let unprivileged local users gain full root access on vulnerable systems. The high-severity issue, tracked as CVE-2026-31431, has been named “Copy Fail” by security firms Xint.io and Theori.

The flaw carries a CVSS score of 7.8 and affects the Linux kernel’s cryptographic subsystem, specifically the algif aead module. According to researchers, the bug has existed since a source code change introduced in August 2017.

How the Copy Fail Exploit Works

Researchers said the Linux privilege escalation flaw enables a local user to write four controlled bytes into the page cache of any readable file. Attackers can then use that capability to modify sensitive binaries and gain root-level privileges.

A proof-of-concept exploit reportedly uses a compact 732-byte Python script that targets /usr/bin/su, a commonly used setuid binary. The exploit process includes:

• Opening an AF_ALG socket
• Binding it to a cryptographic function
• Injecting shellcode into the cached copy of /usr/bin/su
• Executing the modified binary as root

Because the page cache is shared across processes, researchers warned that the bug may also create cross-container security risks in virtualized or containerized environments.

Major Linux Distributions Affected

The vulnerability impacts many Linux systems released since 2017. Researchers said affected platforms include:

• Amazon Linux
• Red Hat Enterprise Linux (RHEL)
• SUSE
• Ubuntu
• Debian

Several vendors have already issued advisories and security updates in response to the disclosure.

Why Security Experts Are Concerned

Security analysts say what makes this Linux privilege escalation flaw especially dangerous is its reliability. Unlike some kernel exploits, it does not depend on race conditions, memory leaks, or kernel offsets.

Bugcrowd researcher David Brumley compared Copy Fail to Dirty Pipe (CVE-2022-0847), another well-known Linux privilege escalation bug that allowed attackers to overwrite read-only files.

However, experts noted that Copy Fail may be more portable because the same exploit technique reportedly works across multiple Linux distributions without major modification.

Researchers Call It Portable and Stealthy

Xint.io described the vulnerability as rare because it combines four dangerous traits:

• Portable across systems
• Tiny exploit code
• Stealthy execution
• Cross-container impact

The company warned that even low-level user accounts could potentially gain full administrator access if systems remain unpatched.

What Linux Users Should Do Now

System administrators are strongly advised to apply vendor patches immediately and monitor systems for suspicious privilege escalation activity. Restricting local shell access and reviewing container isolation policies may also help reduce risk.

With Linux widely used in servers, cloud environments, and enterprise infrastructure, Copy Fail highlights how a small kernel logic error can create a major security threat.