Copy Fail Linux Flaw Gives Root Access Since 2017

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- CVE-2026-31431 ("Copy Fail") was publicly disclosed Wednesday by security firm Theori and affects nearly every Linux distribution released since 2017, granting any user administrator privileges via a single Python script requiring "no per-distro offsets, no version checks, no recompilation."
- Theori researcher Taeyang Lee used the firm's Xint Code AI tool to identify the vulnerability in "about an hour" by prompting it to examine Linux's crypto subsystem and the splice() syscall's ability to deliver page-cache references of read-only files to crypto TX scatterlists.
- Page-cache corruption makes the exploit unusually hard to detect: the kernel never marks modified pages dirty or flushes them to disk, so file-integrity monitors like AIDE, Tripwire, and OSSEC see no changes, per DevOps engineer Jorijn Schrijvershof.
- Arch Linux, RedHat Fedora, and Amazon Linux have released patches or mitigations, and a mainline Linux kernel patch was added on April 1 — but many other affected distributions had not released fixes at the time of disclosure.
- Theori's public disclosure drew scrutiny because the researchers published full exploit details before all affected distributions could ship patches, leaving unpatched systems exposed to a working attack.
Why it matters: Nearly every Linux distribution from the last eight years is in scope, and the standard file-integrity monitoring tools that organizations rely on (AIDE, Tripwire, OSSEC) cannot detect the corruption — meaning compromised systems look clean. With the mainline kernel patched since April 1 but many distros still unpatched and a working exploit now public, sysadmins face an urgent patching race on infrastructure they may not even realize is blind to this attack.




