New Delhi: A newly disclosed Linux kernel flaw called Copy Fail has put system admins on alert, and this one is not the usual “maybe panic later” bug. Tracked as CVE-2026-31431, the issue can let a normal local user gain root access on affected Linux systems shipped since 2017.
The bug was discovered by Theori researcher Taeyang Lee and later turned into a working exploit chain by the Xint Code Research Team using AI-assisted analysis. The scary bit is simple. The exploit is described as a 732-byte Python script using standard library modules, and researchers say it worked across tested distributions without race conditions, recompilation, or version tuning.
Time to talk about this one.
CopyFail (CVE-2026-31431) — a 732-byte Python script that roots every Linux distro shipped since 2017. 🧵 https://t.co/ZMO3GTGgcE
— Brian Pak (@brian_pak) April 29, 2026
What is Copy Fail?
Copy Fail is a local privilege escalation bug in the Linux kernel’s authencesn cryptographic template. In plain English, it abuses the way Linux handles certain crypto operations and file data sitting in memory.
According to the report, a normal local user can alter four chosen bytes in Linux’s in-memory copy of any readable file, then abuse that change to get root access. It means the attacker does not need to change the real file on disk. They change the cached copy in memory.
That is why this bug is nasty. File checks may still look clean. The disk copy may still match its expected hash. Yet the machine may still run the poisoned in-memory version.
Why this Linux bug needs immediate attention
Copy Fail affects the kernel’s page cache, which is basically Linux’s fast in-memory copy of files. The exploit can target trusted files such as /usr/bin/su, a setuid-root binary used on many systems. Once the cached version gets corrupted in the right way, running it can give the attacker root.
| Detail | What it means |
|---|---|
| CVE | CVE-2026-31431 |
| Nickname | Copy Fail |
| Bug type | Local privilege escalation |
| Reported | March 23, 2026 |
| Patched in mainline | April 1, 2026 |
| Public disclosure | April 29, 2026 |
| Main risk | Normal local user can gain root |
| Container risk | Possible Kubernetes container escape path |
The affected list in the draft includes Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL, SUSE, Debian, Arch, Fedora, Rocky, Alma, and other Linux distributions running kernels built between 2017 and the patch.
GrapheneOS is immune to the Copy Fail vulnerability due to the deep integration of SELinux in the Android Open Source Project (AOSP). AOSP only permits using specific types of sockets throughout the OS. It only permits the dumpstate process used to create bug report zips to…
— GrapheneOS (@GrapheneOS) April 30, 2026
Containers are not a safe hiding place
For cloud teams, this is where the coffee gets cold. The report says Copy Fail can act as a Kubernetes container escape primitive. Since the page cache is shared across the host, a compromised container may tamper with cached binaries used outside that container.
That makes this a bigger headache for shared servers, CI runners, build systems, Kubernetes nodes, and platforms that run user code. Think student labs, developer machines, internal build servers, and cloud sandboxes. Not every system is equally exposed, but multi-user Linux boxes need fast attention.