Linux Kernel 0-Day “Copy Fail” Roots Fail” Every
A critical zero-day vulnerability in the Linux kernel has been publicly disclosed. This flaw allows any unprivileged local user to obtain root access on virtually every major Linux distribution...
A critical zero-day vulnerability in the Linux kernel has been publicly disclosed. This flaw allows any unprivileged local user to obtain root access on virtually every major Linux distribution shipped since 2017.
Dubbed “Copy Fail” and tracked as CVE-2026-31431, the flaw was discovered by Theori researcher Taeyang Lee and scaled into a full exploit chain by the Xint Code Research Team using AI-assisted analysis.
Copy Fail is a straight-line logic bug not a race condition in the Linux kernel’s authencesn cryptographic template, reachable via the AF_ALG socket interface combined with the splice() system call.
Unlike predecessors such as Dirty Cow (CVE-2016-5195) or Dirty Pipe (CVE-2022-0847), this vulnerability requires no race-winning, no kernel version offsets, no recompilation, and no compiled payloads.
Linux Kernel 0-Day “Copy Fail”
A single 732-byte Python script using only standard library modules achieves deterministic root on every tested distribution and architecture.
The exploit targets the kernel’s page cache, the in-memory representation of files, by triggering a controlled 4-byte write into a page cache page belonging to any file readable by the attacker.
Because the Linux kernel never marks the corrupted page as dirty for writeback, the on-disk file remains untouched, causing standard checksum-based file integrity tools to miss the modification entirely. The attacker then executes the corrupted in-memory version of a setuid binary such as /usr/bin/su, achieving root shell execution.
The vulnerability originates from a 2017 in-place optimization introduced to algif_aead.c (commit 72548b093ee3). When a user splices a file into a pipe and feeds it into an AF_ALG socket, the AEAD input scatterlist holds direct references to the kernel’s physical page cache pages of that file — not copies.
For AEAD decryption operations, algif_aead.c set req->src = req->dst, making both the source and destination point to the same combined scatterlist.
This placed page cache pages into a writable destination scatterlist. The authencesn algorithm, used by IPsec for 64-bit Extended Sequence Number (ESN) support, then uses the caller’s destination buffer as scratch space to rearrange ESN bytes, writing 4 bytes at offset assoclen + cryptlen past the declared output boundary, directly into chained page cache pages.
Three independent, reasonable code changes across 2011, 2015, and 2017 converged to create this exploitable condition, with nobody connecting their intersection for nearly a decade.
The same unmodified exploit script achieved root shell on all four tested platforms:
| Distribution | Kernel Version |
|---|---|
| Ubuntu 24.04 LTS | 6.17.0-1007-aws |
| Amazon Linux 2023 | 6.18.8-9.213.amzn2023 |
| RHEL 14.3 | 6.12.0-124.45.1.el10_1 |
| SUSE 16 | 6.12.0-160000.9-default |
The vulnerability was introduced with kernel 4.14 and affects all distributions through the unfixed line.
Beyond local privilege escalation, Copy Fail functions as a Kubernetes container escape primitive. Because the page cache is shared across all processes on a host, including across container boundaries, a compromised container can corrupt setuid binaries visible to other containers and the host kernel. Part 2 of the Xint Code research series covers full Kubernetes node compromise.
Patch Released
The official fix (commit a664bf3d603d) reverts algif_aead.c to out-of-place AEAD operation, permanently separating the TX scatterlist (which may contain page cache pages) from the RX scatterlist (the user’s output buffer).
This eliminates the sg_chain() mechanism that linked page cache pages into the writable destination.
Immediate mitigations pending kernel update:
- Apply the upstream kernel patch via your distribution’s update channel.
- Disable the
algif_aeadkernel module to eliminate the attack surface:
bashecho "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf
rmmod algif_aead 2>/dev/null
The vulnerability was reported to the Linux kernel security team on March 23, 2026, with patches committed to mainline on April 1, 2026, CVE assigned on April 22, 2026, and public disclosure on April 29, 2026. System administrators are urged to apply kernel updates immediately.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.