Copy Fail(CVE-2026-31431) allows standard users to escalate themselves to administrator privileges across nearly every Linux distribution released since 2017. The vulnerability is particularly dangerous because it bypasses traditional checksum-based monitoring tools, making the breach invisible to many standard security suites.
The Copy Fail vulnerability presents a unique risk due to the way it evades detection. For a system administrator, a breach that does not trigger an alarm is difficult to identify and remediate. In this case, the flaw operates in a way that allows it to bypass the detection capabilities of various industry integrity checkers.
According to The Verge, the exploit utilizes a Python script that is remarkably portable. The security firm Theori, which uncovered the flaw, noted that the script requires no per-distro offsets, no version checks, no recompilation,
meaning it can be deployed across various Linux environments without modification.
The invisibility of page-cache corruption
The technical severity of the flaw lies in how it interacts with the Linux kernel’s memory management. Most security monitoring tools, such as AIDE, Tripwire, and OSSEC, protect systems by comparing on-disk checksums—essentially taking a digital fingerprint of a file and checking if it has changed. If a hacker modifies a binary on the disk, the fingerprint changes, and the alarm sounds.
Copy Fail bypasses this entirely by targeting the page cache rather than the physical disk. DevOps engineer Jorijn Schrijvershof described the flaw as unusually nasty
because of this specific behavior.
“Page-cache corruption never marks the page dirty. The kernel’s writeback machinery never flushes the modified bytes back to disk.”
Jorijn Schrijvershof, DevOps Engineer
Because the modified bytes are never written back to the disk, the files on the physical drive remain unchanged. Consequently, AIDE, Tripwire, OSSEC and any monitoring tool that compares on-disk checksums see nothing,
according to Schrijvershof. The system believes it is running pristine, unmodified code while the active memory has been corrupted to grant administrator access.
For more on this story, see AMD Zen 1 FP-DSS Security Flaw Patched in Linux Kernel.
AI-assisted discovery in the crypto subsystem
The discovery of Copy Fail highlights a shift in how vulnerabilities are being hunted. Theori researchers used an AI tool called Xint Code to accelerate the process. Rather than manually auditing millions of lines of code, researcher Taeyang Lee used a specific prompt to direct the AI toward the Linux crypto subsystem, focusing on paths reachable via userspace syscalls.
The prompt provided to the AI was highly specific, noting that the splice()
function could deliver page-cache references of read-only files—including setuid binaries—to crypto TX scatterlists. This targeted approach allowed the AI to identify several vulnerabilities in about an hour, demonstrating the speed at which automated tools can analyze complex kernel paths.
The race between disclosure and patching
In cybersecurity, there is often a gap between the moment a flaw is publicized and the moment a patch is applied. In the case of Copy Fail, a patch was integrated into the mainline Linux kernel on April 1st. However, the mainline kernel is the blueprint; individual distributions (distros) must then integrate that patch into their own specific versions.
As noted by The Verge and Ars Technica, the researchers published the exploit details publicly before all affected distributions had a chance to release their updates. This created a window of risk where the “how-to” for the attack was available to the public while many systems remained vulnerable.
While some major distributions, including Amazon Linux, RedHat Fedora, and Arch Linux, moved quickly to release patches, the available reporting indicates that many other distributions were not immediately able to address the issue. Because the vulnerability affects nearly every distribution released since 2017, a wide range of systems may remain exposed until updates are applied.
Administrators should now prioritize verifying the patch status of their specific distribution and recognize that traditional checksum monitoring may not be sufficient to detect an active exploitation of CVE-2026-31431. System owners are encouraged to monitor vendor security advisories for the availability of the necessary fixes.
