'Copy Fail' Linux Privesc Bug Lay Dormant in Kernel Since 2017

The newly disclosed Linux privilege‑escalation flaw, catalogued as CVE‑2026‑31431 and dubbed “Copy Fail,” has been lurking in the kernel since a 2017 performance tweak. By combining an in‑place AEAD operation with an out‑of‑bounds write in the IPsec auth template, the bug enables a controlled four‑byte overwrite of any setuid binary. A 732‑byte Python script that uses only the standard library can trigger the exploit on virtually every mainstream distribution—Ubuntu, Amazon Linux, RHEL, SUSE and others—without needing a race condition or custom payload.

The discovery revives concerns reminiscent of the 2016 Dirty Cow vulnerability, but Copy Fail is arguably more straightforward to weaponize. Its reliance on shared page‑cache memory means a compromised container can corrupt host binaries, opening a path to cross‑tenant escapes in Kubernetes environments. Theori’s Xint Code AI scanner identified the issue, and the fix was merged into the mainline kernel on April 1, reverting the problematic in‑place optimization. Vendors have begun rolling patches, but the window of exposure spans nearly a decade of unpatched kernels.

Enterprises that cannot apply the upstream patch immediately can mitigate risk by blacklisting the algif_aead kernel module, a step that research shows has negligible performance impact for most workloads. The episode underscores the need for continuous code‑review automation and deeper scrutiny of performance‑driven changes that touch memory handling. Organizations should prioritize rapid kernel updates and monitor distribution security advisories, especially for workloads that run privileged containers. The use of AI‑driven scanning tools, as demonstrated by Theori, may become essential in uncovering such dormant vulnerabilities before they are weaponized.