PUBLICLY released exploit code for CopyFail, a local privilege escalation tracked as CVE-2026-31431, has left defenders scrambling as it threatens virtually all Linux releases with root access. The exploit was released by researchers from Theori on Wednesday evening, five weeks after privately disclosing the issue to the Linux kernel security team, and patches exist for several kernel versions but were not widely deployed at the time.
The flaw stems from a straight-line logic issue in the kernel’s crypto API, enabling unprivileged users to elevate to administrator with a single piece of exploit code that works across vulnerable distributions without modification. The threat can impact multi-tenant servers, containers based on Kubernetes, and CI/CD pipelines, potentially allowing attackers to pivot to other systems.
Distributions known to have patched include Arch Linux and RedHat Fedora, with mitigation guidance from SUSE, RedHat, and Ubuntu; Theori said it developed an exploit that can break out of Kubernetes containers. According to Ars Technica, the severity is high enough to warrant immediate investigation by Linux users.