A newly released exploit for a critical Linux kernel vulnerability is raising urgent alarms among security defenders, as the flaw allows unprivileged attackers to gain full root access across virtually all Linux distributions — including systems powering data centers and personal computers.
The vulnerability, tracked as CVE-2026-31431 and dubbed CopyFail, was publicly disclosed in May 2026 by researchers at security firm Theori, five weeks after it was privately reported to the Linux kernel security team. Patches have been issued for several kernel versions — including 7.0, 6.19.12, 6.12.85, and 5.10.254, among others — but few Linux distributions had incorporated those fixes at the time the exploit code was released.
CopyFail is a local privilege escalation vulnerability, meaning an attacker who already has limited access to a machine can use it to elevate themselves to root-level administrator. What makes it especially dangerous is that a single Python script released alongside the disclosure works reliably across Ubuntu 22.04, Amazon Linux 2023, SUSE 15.6, and Debian 12 without modification. Unlike exploits that rely on race conditions or memory corruption — which can be inconsistent — CopyFail targets a logic flaw in the kernel’s crypto API, making it deterministic. “No race window, no kernel offset,” researchers from Bugcrowd noted.
The flaw originates in the kernel’s AEAD template process, used for IPsec extended sequence numbers. According to Theori, the code fails to properly copy data and instead writes four bytes beyond the legitimate output buffer without restoring them.
The practical implications are broad. Researcher Jorijn Schrijvershof outlined a realistic attack chain: an attacker exploits a WordPress plugin vulnerability to gain shell access, then runs the CopyFail proof-of-concept to become root — making every other tenant on a shared system reachable. The exploit could also be used to break out of Kubernetes containers or inject malicious code through CI/CD pipelines.
Security experts have called CopyFail the worst privilege escalation vulnerability in the Linux kernel in recent years, drawing comparisons to Dirty Pipe (2022) and Dirty Cow (2016), both of which were actively exploited in the wild. System administrators are urged to apply available kernel patches immediately.
Source: WIRED