Copy.Fail (CVE-2026-31431): A Straight-Line Logic Flaw Roots Every Linux Distribution Since 2017

CVE-2026-31431 (Copy Fail) lets any unprivileged Linux user gain root via a 732-byte Python PoC — no race, no offsets, no disk artifacts. Affects every distro since 2017.

Copy.Fail (CVE-2026-31431): A Straight-Line Logic Flaw Roots Every Linux Distribution Since 2017

A 732-byte Python script, no race condition, no kernel offsets — just a decade-old in-place optimization in algif_aead chained through AF_ALG and splice() into a four-byte page-cache write

Executive Summary

On April 29, 2026, security firm Theori publicly disclosed CVE-2026-31431 — nicknamed Copy Fail — a Linux kernel local privilege escalation (LPE) flaw that affects essentially every mainstream Linux distribution shipped since kernel 4.14 (August 2017). The vulnerability lives in the algif_aead module of the kernel cryptographic subsystem and is reachable by any unprivileged local user through the AF_ALG socket family. Researcher Taeyang Lee of Theori discovered the flaw with the assistance of Xint Code, Theori’s AI-assisted code-audit tool.

Unlike the headline LPEs of the last decade — Dirty COW (CVE-2016-5195) and Dirty Pipe (CVE-2022-0847) — Copy Fail does not depend on a race window or a kernel-version-specific offset. It is a straight-line logic flaw: the same 732-byte Python script, using only Python 3.10’s standard library, lands root reliably on Debian, Ubuntu, Arch, Fedora, Rocky, Alma, Oracle Linux, RHEL, SUSE, and Amazon Linux. Because the write lands in the page...

Karma-X Blog