A high‑severity Linux local privilege escalation flaw, tracked as CVE‑2026‑31431 and codenamed Copy Fail by Xint[.]io and Theori, could let an unprivileged local user gain root by writing four controlled bytes into the page cache of a readable file. According to Xint[.]io and Theori, the issue stems from a logic flaw in the kernel’s cryptographic subsystem, specifically the algif_aead module, introduced in a source code commit in August 2017.
Exploitation could be achieved with a short Python script of about 732 bytes to edit a setuid binary such as /usr/bin/su, enabling root access on essentially all distributions since 2017, including Amazon Linux, RHEL, SUSE and Ubuntu. The vulnerability is not remotely exploitable in isolation, but the same primitive has cross‑container impacts as the page cache is shared across processes. In response, Linux distributions have issued advisories for Amazon Linux, Debian, Red Hat Enterprise Linux, SUSE and Ubuntu.
Copy Fail is related to, but distinct from, past kernel LPEs such as Dirty Pipe (CVE‑2022‑0847), with researchers emphasising its portable, tiny, stealthy, cross‑container characteristics.