A high-severity logic bug in the Linux kernel allows unprivileged attackers to write code to other files’ memory and obtain a root shell, according to Theori. Tracked as CVE-2026-31431 (CVSS 7.8) and dubbed Copy Fail, the issue is believed to affect all Linux distributions since 2017. It impacts the kernel’s authencesn AEAD template used by IPsec for ESN support, with the vulnerability arising from how page cache pages are placed in a writable scatterlist and how scratch space is used.
When performing byte rearrangement, a call writes four bytes of code past the AEAD tag into the cached copy of another file. Theori notes that successful exploitation requires only local code execution privileges and can be achieved with a simple 732-byte Python script on essentially any Linux distribution shipped since 2017.
Organizations are advised to update to a fixed version promptly, as the bug enables in-memory changes without modifying the on-disk file, posing a risk for multi-tenant environments and shared-kernel containers. 30 April 2026.