New Linux 'Copy Fail' Vulnerability Enables Root Access On Major Distros (copy.fail)
(Friday May 01, 2026 @11:30PM (BeauHD)
from the PSA dept.)
A newly disclosed Linux kernel flaw dubbed " [1]Copy Fail " can let a local, unprivileged attacker gain root access on major Linux distributions, with researchers claiming the bug affects kernels shipped since 2017. "The POC exploit works out of the box today, but a future version that can escape from containers like Docker is promised soon," writes Slashdot reader [2]tylerni7 . "Technical details are available [3]here ." Slashdot reader [4]BrianFagioli shares a report from NERDS.xyz:
> A newly disclosed Linux kernel vulnerability called Copy Fail (CVE-2026-31431) [5]allows an unprivileged user to gain root access using a tiny 732-byte script , and it works with unsettling consistency across major distributions. Unlike older exploits that relied on race conditions or fragile timing, this one is a straight-line logic flaw in the kernel's crypto subsystem. It abuses AF_ALG sockets and splice to overwrite a few bytes in the page cache of a target file, such as /usr/bin/su. Because the kernel executes from the page cache, not directly from disk, the attacker can inject code into a setuid binary in memory and immediately escalate privileges.
>
> What makes this especially concerning is how quiet it is. The file on disk remains unchanged, so standard integrity checks see nothing wrong, while the in-memory version has already been tampered with. The same primitive can also cross container boundaries since the page cache is shared, raising the stakes for multi-tenant environments and Kubernetes nodes. The underlying issue traces back to an in-place optimization added years ago, now being rolled back as part of the fix. Until patched kernels are widely deployed, this is one of those bugs that feels less like a theoretical risk and more like a practical, reliable path to full system compromise.
[1] https://copy.fail/
[2] https://slashdot.org/~tylerni7
[3] https://xint.io/blog/copy-fail-linux-distributions
[4] https://slashdot.org/~BrianFagioli
[5] https://nerds.xyz/2026/04/copy-fail-linux-root-exploit/
> A newly disclosed Linux kernel vulnerability called Copy Fail (CVE-2026-31431) [5]allows an unprivileged user to gain root access using a tiny 732-byte script , and it works with unsettling consistency across major distributions. Unlike older exploits that relied on race conditions or fragile timing, this one is a straight-line logic flaw in the kernel's crypto subsystem. It abuses AF_ALG sockets and splice to overwrite a few bytes in the page cache of a target file, such as /usr/bin/su. Because the kernel executes from the page cache, not directly from disk, the attacker can inject code into a setuid binary in memory and immediately escalate privileges.
>
> What makes this especially concerning is how quiet it is. The file on disk remains unchanged, so standard integrity checks see nothing wrong, while the in-memory version has already been tampered with. The same primitive can also cross container boundaries since the page cache is shared, raising the stakes for multi-tenant environments and Kubernetes nodes. The underlying issue traces back to an in-place optimization added years ago, now being rolled back as part of the fix. Until patched kernels are widely deployed, this is one of those bugs that feels less like a theoretical risk and more like a practical, reliable path to full system compromise.
[1] https://copy.fail/
[2] https://slashdot.org/~tylerni7
[3] https://xint.io/blog/copy-fail-linux-distributions
[4] https://slashdot.org/~BrianFagioli
[5] https://nerds.xyz/2026/04/copy-fail-linux-root-exploit/