Linux Vulnerability ‘Failed to Copy’ Enables Root Access on Large Distributions
Cybersecurity researchers have disclosed details of a Linux local privilege escalation (LPE) flaw that could allow an unsecured local user to gain root.
High vulnerability is tracked by CVE-2026-31431 (CVSS score: 7.8) code named Copying Failed by Xint.io and Theori.
“An unprivileged local user can write four controlled bytes to the page cache of any readable file on a Linux system, and use that to gain root,” the vulnerability research team at Xint.io and Theori.
At its core, the vulnerability stems from a conceptual flaw in the cryptographic subsystem of the Linux kernel, specifically within the algif_aead module. The issue was introduced in the source code agreement made in August 2017.
Successful exploitation of the flaw would allow a simple 732-byte Python script to edit the setuid binary and obtain root on all Linux distributions shipped since 2017, including Amazon Linux, RHEL, SUSE, and Ubuntu. Python exploitation involves four steps –
- Open the AF_ALG socket and bind to authencesn(hmac(sha256),cbc(aes))
- Build the shellcode payload
- Run a write operation on the “/usr/bin/su” kernel cache
- Call execve(“/usr/bin/su”) to load the injected shellcode and run it as root.
Although the vulnerability is not remotely exploitable in isolation, a local unprivileged user can gain root by corrupting the page cache of the setuid binary. The same primitive also has a cross-container effect as the page cache is shared across processes in the system.
In response to the disclosure, Linux distributions have issued their own advisory –
Copy Fail has its echoes in Dirty Pipe (CVE-2022-0847), another vulnerability in the Linux kernel LPE that could allow unprivileged users to extract data from the page cache of read-only files and end up overwriting sensitive files in the system to execute code.
“Copy Fail is the same primitive class, in a different subsystem,” said David Brumley of Bugcrowd. “2017 in-place optimization in algif_aead allows the page cache page to end up in the writable kernel scatterlist via the AEAD function sent via the AF_ALG socket. A malicious process may call splice() on that socket and populate a small, written target in its file that does not cache the page.”
What makes the vulnerability dangerous is that it can be started reliably and does not require any race condition or kernel offset. Moreover, the same exploit works for all distributions.
“This vulnerability is unique because it has four things that are almost invisible together: it’s portable, it’s small, it’s stealthy, and it contains a container,” a Xint.io spokesperson told Hacker News in a statement. “It allows any user account, no matter how low-level, to extend their privilege to full administrator access. It also allows them to bypass sandboxing and work across all Linux versions and distributions.”
