Dangerous new Linux flaw Copy Fail puts servers and personal devices at risk

A newly disclosed Linux vulnerability is setting off alarm bells across the cybersecurity industry, after researchers released proof-of-concept exploit code capable of giving attackers root access on a wide range of Linux systems.

The flaw, known as Copy Fail and tracked as CVE-2026-31431, is a high-severity local privilege escalation vulnerability in the Linux kernel. It affects the kernel’s userspace crypto interface, specifically the algif_aead module, and has been assigned a CVSS score of 7.8.

The vulnerability was publicly disclosed on April 29, 2026 by researchers at Theori’s Xint Code team, who said the flaw allows an unprivileged local user to gain root access using a small Python exploit. The researchers described the issue as a logic bug in the Linux kernel’s authencesn cryptographic template, allowing a controlled write into the page cache of a readable file on the system.

While local privilege escalation vulnerabilities do not usually give attackers initial access to a system, they can dramatically increase the damage once an attacker is already inside. A compromised web application, vulnerable plugin, stolen user account, container escape scenario or malicious CI/CD workflow can become far more serious if the attacker can elevate from a low-privilege user to root.

That is why Copy Fail has generated such concern. Security researchers say the exploit is unusually reliable because it is based on a logic flaw rather than a race condition or memory corruption bug. Bugcrowd said the public exploit works across major distributions without the typical need for kernel offsets, timing windows or distribution-specific adjustments.

Sysdig described the issue as affecting the Linux kernel’s algif_aead userspace crypto interface and said researchers demonstrated that an unprivileged local user could corrupt the page cache backing setuid binaries and gain root access within seconds.

The vulnerability is believed to affect many Linux systems released since 2017, when the relevant kernel behaviour was introduced. CERT-EU said the flaw originates from an in-place optimisation introduced in 2017, which allows page-cache pages to be placed into a writable destination scatterlist.

The scale of exposure is significant because Linux underpins a vast amount of modern computing infrastructure. It runs cloud servers, data centre workloads, enterprise systems, developer environments, containers, embedded devices and many personal machines. In shared environments, the risk can be particularly severe because multiple users, tenants or workloads may rely on the same underlying kernel.

Security commentary around Copy Fail has highlighted risks to Kubernetes nodes, shared hosting environments, CI/CD jobs, Windows Subsystem for Linux instances and containerised AI agents with shell access. In those contexts, “local” access can cover far more than a person sitting at a keyboard. It can include any workload, container or account that can execute code on a shared host.

The concern is not simply that Copy Fail exists. It is that working exploit code was released publicly while some distributions were still in the process of delivering patches. Tenable noted that a public proof of concept was available and that patched kernel versions were available, although not all major distributions had shipped updates at the time of reporting.

Ubuntu has confirmed that the vulnerability affects all Ubuntu releases before Resolute 26.04 and said fixes are available. Canonical described Copy Fail as a local privilege escalation vulnerability affecting a kernel module that provides hardware-accelerated cryptographic functions.

AlmaLinux said every supported AlmaLinux release was affected and published patches after the Xint Code disclosure. The project described Copy Fail as a flaw in the kernel’s crypto subsystem, involving authencesn, AF_ALG and splice().

CloudLinux also issued update guidance, warning that any unprivileged local user could gain root via the publicly discussed exploit and stating that kernels since 2017 were affected.

Some distributions, including Arch Linux, Red Hat Fedora and Amazon Linux, were reported to have released fixes soon after disclosure, while other vendors published mitigation guidance. Users and administrators have been urged to check directly with their Linux distribution or vendor for the latest kernel update status.

The disclosure has also drawn attention because of how the flaw was found. Theori said it discovered Copy Fail using its AI-powered Xint Code security tool, which was directed to examine the Linux crypto subsystem and returned relevant findings after about an hour of scan time.

That detail is likely to intensify debate about the role of artificial intelligence in vulnerability discovery. AI-assisted code analysis may help defenders find dangerous flaws faster, but it also raises concern that attackers could use similar tools to identify and exploit weaknesses before organisations have time to respond.

Copy Fail arrives amid broader anxiety about AI-enabled hacking, with governments and security researchers increasingly warning that advanced models may compress the timeline between vulnerability disclosure and exploitation. The practical effect is that patch windows are shrinking. A vulnerability that once took days or weeks to weaponise may now become dangerous much faster.

For defenders, the immediate priority is clear. Linux users, administrators and organisations should review vendor advisories, identify exposed systems, apply updated kernels as soon as possible, and reboot affected machines where required for fixes to take effect. In higher-risk environments, administrators should also review container boundaries, shared hosting models, CI/CD pipelines and systems where untrusted code may run.

The vulnerability also reinforces a broader lesson about layered defence. A local privilege escalation flaw becomes far more damaging when combined with another weakness, such as a vulnerable web application, leaked credentials, poor segmentation or excessive permissions. Preventing initial access still matters, but so does limiting what an attacker can do after they get in.

For businesses, Copy Fail is another reminder that cybersecurity is not just about reacting to the latest headline vulnerability. It depends on asset visibility, patch management, staff awareness, secure development practices and a clear response plan. Organisations that do not know which systems they run, which kernels are installed, or who is responsible for patching them are already behind.

For individual users, the advice is simpler but still important. Keep your system updated, apply security patches promptly, avoid running untrusted code, and pay attention to vendor security notices. Linux is widely respected for its stability and flexibility, but no operating system is immune to serious flaws.

The most concerning thing about Copy Fail is not only that it can turn limited access into root access. It is that modern infrastructure gives attackers so many possible ways to obtain that first limited foothold. Once they are there, a flaw like this can change the outcome in seconds.

As cyber threats become faster, more automated and increasingly assisted by advanced tools, defensive knowledge is no longer optional. Understanding how vulnerabilities work, why patching matters, and how attackers chain weaknesses together can help individuals and organisations make better decisions before a crisis arrives.

Knowledge is power. Strengthen your cybersecurity defences and build practical digital safety skills with The Hack Academy’s online courses.