A newly disclosed security vulnerability called “Copy Fail” leaves nearly every Linux distribution released since 2017 exposed to privilege escalation attacks, allowing any user to grant themselves administrator access. The flaw was publicly disclosed as CVE-2026-31431 in May 2026 by Theori, the security firm that uncovered it.
The exploit works via a Python script that functions across all affected Linux distributions with, according to Theori, “no per-distro offsets, no version checks, no recompilation” required. That broad compatibility makes the vulnerability particularly difficult to contain.
What compounds the risk is how effectively the exploit evades detection. DevOps engineer Jorijn Schrijvershof explained in a blog post that Copy Fail is “unusually nasty” because page-cache corruption never marks the affected page as dirty, meaning the kernel’s writeback process never flushes the altered data to disk. The practical result: “AIDE, Tripwire, OSSEC and any monitoring tool that compares on-disk checksums see nothing.”
Copy Fail was identified with assistance from Theori’s Xint Code AI tool. Researcher Taeyang Lee targeted the Linux crypto subsystem and crafted a prompt to run an automated scan, which surfaced several vulnerabilities in roughly an hour.
A patch was added to the mainline Linux kernel on April 1, 2026. However, Theori published the exploit’s details publicly before all affected distributions had released their own patches. As of disclosure, Arch Linux, Red Hat Fedora, and Amazon Linux had issued fixes, while many other distributions had not.
For Linux users and administrators, the vulnerability may warrant checking whether their distribution has released a patch, as unpatched systems remain exposed to a working, publicly available exploit script.
Source: The Verge