The Fatal 4-Byte Error That Just Broke Linux | Threat Wire

The episode spotlights a critical Linux kernel flaw dubbed “copy‑fail” (CVE‑2026‑31431). Discovered by Xent code’s research team and initially reported by Tayyang Lee in March 2026, the vulnerability earned a CVSS 7.8 rating and affects every kernel compiled between 2017 and early 2026.

Copy‑fail exploits a logic error in the kernel’s AEAD crypto implementation. By chaining malformed scatter‑gather lists with AF_ALG sockets and the splice system call, an attacker can write four arbitrary bytes into the page cache of any readable file. Overwriting a set‑uid binary or shared container image grants root privileges or enables container escapes without network access or special privileges.

The researchers demonstrated the attack with a 732‑byte Python script that gains root on unpatched systems. Ed from Low‑Level TV later released a deep‑dive video, confirming the ease of exploitation. Xent code’s advisory ranks multi‑tenant Linux hosts as highest‑priority patches, while single‑user workstations are deemed lower risk.

With cloud providers and SaaS platforms relying on shared kernels, the flaw poses a systemic threat to multi‑tenant environments. Prompt kernel updates and hardening of the crypto API are essential to prevent widespread privilege‑escalation attacks and supply‑chain compromises.