COPY Fail, a Linux kernel flaw tracked as CVE-2026-31431, is described as a logic bug that lets any local unprivileged user write four controlled bytes into the page cache of a readable file, enabling escalation to root on major distributions. According to Xint Code, the vulnerability has a CVSS score of 7.8 and combines AF_ALG and splice() to modify the in‑memory page cache without changing disk files, making detection difficult.
A 732‑byte script can modify a setuid binary in memory, and then trigger the kernel to execute root‑level code via /usr/bin/su, with tests showing successful compromise on Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16 across kernel versions 6.12 to 6.18. The bug is able to cross container boundaries due to the shared page cache and is portable across major distros and architectures, enabling both local privilege escalation and Kubernetes container escapes.
The researchers published a PoC to help defenders verify systems and validate vendor patches, emphasising that any kernel built between 2017 and the patch is in scope.