Cybersecurity experts have uncovered a critical vulnerability in the Linux operating system, which could potentially allow local users without privileges to gain root access. This high-severity flaw, identified as CVE-2026-31431 and codenamed ‘Copy Fail,’ carries a CVSS score of 7.8, highlighting its significant impact. The discovery was made by research teams from Xint.io and Theori.
Understanding the Copy Fail Vulnerability
The core issue with the ‘Copy Fail’ vulnerability lies in a logic flaw within the cryptographic subsystem of the Linux kernel, specifically in the algif_aead module. This problem originated from a source code commit dating back to August 2017. The vulnerability allows an unprivileged local user to write four controlled bytes into the page cache of any readable file, potentially leading to root access.
Exploiting this flaw is possible with a concise 732-byte Python script. The script modifies a setuid binary, granting root access across nearly all Linux distributions released since 2017, including popular versions like Amazon Linux, RHEL, SUSE, and Ubuntu. The exploit involves a four-step process: opening an AF_ALG socket, constructing a shellcode payload, triggering a write operation to the kernel’s cached copy of a critical file, and executing that file as root.
Impact and Response from Linux Distributions
While the ‘Copy Fail’ vulnerability does not allow remote exploitation on its own, it provides a local user with the ability to corrupt the page cache of a setuid binary, thus gaining root privileges. The vulnerability also poses cross-container risks, as the page cache is shared across all processes on a system. In response, Linux distributions have issued advisories to address this security threat.
The vulnerability bears similarities to the Dirty Pipe vulnerability (CVE-2022-0847), which also enabled unprivileged users to manipulate the page cache of files. However, ‘Copy Fail’ is distinct in its subsystem, as noted by Bugcrowd’s David Brumley. The 2017 optimization in the algif_aead module allowed a page-cache page to be writable, facilitating the exploit across various Linux distributions.
Unique Threat Posed by Copy Fail
The danger of the ‘Copy Fail’ vulnerability lies in its ability to be reliably triggered without requiring race conditions or specific kernel offsets. It is notable for its portability, small size, stealth, and cross-container functionality. According to Xint.io, these characteristics make it a rare and potent threat, capable of elevating any user account to full administrative access and bypassing sandboxing measures across all Linux versions.
This vulnerability underscores the ongoing need for vigilance in cybersecurity and the importance of promptly addressing security flaws to protect systems against potential exploits. Users and administrators are urged to follow the advisories issued by Linux distributions to mitigate the risks associated with ‘Copy Fail.’
