Security researchers have discovered a critical vulnerability in the Linux kernel that allows any unprivileged user to gain root access on virtually every major Linux distribution released since 2017. The flaw, tracked as CVE-2026-31431 and nicknamed Copy Fail, was publicly disclosed on April 29, 2026, with a working proof-of-concept exploit already in circulation.
The vulnerability stems from a logic error in the Linux kernel's cryptographic subsystem, specifically within the algif_aead module. The flaw was inadvertently introduced in 2017 through a source code commit that added support for in-place operations in AEAD encryption. What makes Copy Fail exceptionally dangerous is its simplicity and universality: a mere 732-byte Python script can reliably trigger the exploit across distributions including Ubuntu, Amazon Linux, RHEL, and SUSE without requiring version-specific modifications or timing-sensitive race conditions.
An unprivileged local user can exploit the vulnerability by using standard system calls to write four controlled bytes into the page cache of any readable file on the system. Researchers at Xint.io and Theori demonstrated that by targeting /usr/bin/su—a setuid-root binary present on virtually all major distributions—an attacker can inject malicious code and obtain root privileges within seconds. The exploit works reliably because it operates as a straight-line logic flaw with no probabilistic elements, meaning the same script functions identically across different Linux distributions without requiring kernel offsets or version checks.
The vulnerability carries a CVSS severity score of 7.8 (High) and presents particular risks in modern computing environments. While the flaw cannot be exploited directly from the internet, it poses significant threats in containerized deployments, CI/CD pipelines, and shared servers where untrusted code execution is expected. The exploit can bypass sandboxing, enable container escape, and facilitate cross-tenant attacks in multi-tenant environments by leveraging the fact that the page cache is shared across containers.
The Linux kernel security team received private notification of the vulnerability on March 23, 2026, and released a fix upstream on April 1. The CVE was officially assigned on April 22, followed by public disclosure and exploit code release on April 29. Despite patches being available, millions of systems remain vulnerable as administrators have not yet updated their kernels. The widespread exposure stems from the vulnerability's presence in every major distribution shipped over the past nine years, leaving both outdated server configurations and modern systems at risk until they are patched and rebooted.