# CopyFail: The Linux Bug That Was Hiding in Plain Sight for 9 Years **A nine-year-old logic flaw in the Linux kernel’s crypto API gives any unprivileged user root access with a single Python script. No race conditions. No brute force. Just a buffer that “forgets” to stay inside its bounds.** --- ## The Exploit That Works Everywhere On Wednesday evening, April 29, 2026, security researchers at Theori published an exploit for CVE-2026-31431 — and Linux defenders collectively realized they had a problem. The vulnerability, dubbed **CopyFail**, is a local privilege escalation flaw that has been sitting in the Linux kernel since approximately 2017. Theori’s published exploit code is a single Python script that runs without modification across Ubuntu 22.04, Amazon Linux 2023, SUSE 15.6, and Debian 12. One script. All distros. Root access. > “Local privilege escalation sounds dry, so let me unpack it. It means: an attacker who already has some way to run code on the machine, even as the most boring unprivileged user, can promote themselves to root.” > — Jorijn Schrijvershof, security researcher --- ## What Makes CopyFail Different Most critical Linux kernel bugs rely on race conditions or memory corruption — techniques that don’t always work consistently across kernel versions. CopyFail is different. It exploits a **straight-line logic flaw** in the kernel’s authencesn AEAD template process. Here’s what happens: when the crypto subsystem handles IPsec extended sequence numbers, it’s supposed to copy data into a properly bounded destination buffer. Instead, it uses the caller’s buffer as a scratch pad and writes **4 bytes past the legitimate output region** — without ever restoring them. The “copy” of the AAD ESN bytes “fails” to stay inside the destination buffer. Hence: CopyFail. > “Because the code exploits a logic flaw, reliability isn’t probabilistic, and the same script works across distributions. No race window. No kernel offset.” > — Bugcrowd researchers --- ## The Real Attack Surface “Local” privilege escalation sounds limited until you realize what “local” means in 2026: - **Every container** on a shared Kubernetes node - **Every tenant** on a shared hosting box - **Every CI/CD job** running untrusted pull request code - **Every WSL2 instance** on a Windows laptop - **Every containerized AI agent** given shell access They all share one Linux kernel. CopyFail collapses the boundary between them. **Realistic threat chain:** 1. Attacker exploits a known WordPress plugin vulnerability → gets shell as `www-data` 2. Runs the `copy.fail` proof-of-concept 3. Is now root on the host 4. Every other tenant is suddenly reachable The vulnerability doesn’t get the attacker onto the box — it changes what happens in the **next ten seconds** after they land there. --- ## The Worst Linux Vuln in Years Security experts are calling CopyFail the most severe Linux kernel vulnerability since Dirty Pipe (2022) and Dirty Cow (2016). Both of those were actively exploited in the wild. But CopyFail has an extra sting: **disclosure went poorly.** Theori published the exploit before most major distributions had backported the kernel fix into their stable releases. The patches existed — they had been committed to upstream kernels 7.0, 6.19.12, 6.18.12, and others — but Ubuntu, Debian, SUSE, and Amazon Linux were still scrambling when the exploit dropped. > “The org doing the disclosure… did an absolutely terrible job of vulnerability coordination. Before firing away with the publication, they didn’t bother to see if ANY of the vendors they list ACTUALLY HAVE PATCHES. (None do).” > — Will Dormann, Tharros Labs As of April 30, Arch Linux and Red Hat Fedora had released patches. Others published mitigation guidance. --- ## The AI Connection Here’s a detail that adds insult to injury: Theori discovered this vulnerability using its AI-powered security tool, Xint Code. The scan took about an hour to surface the bug. AI found it. AI wrote the exploit. And now the entire Linux ecosystem is racing to catch up. This is the new normal: AI-assisted vulnerability discovery compresses the timeline between “buried in the code” and “exploitable in the wild” from years to days. --- ## What You Should Do Right Now **Immediate steps:** 1. **Check your kernel version** — if you’re on Linux 5.10 through 6.12, you’re in the vulnerable window 2. **Apply vendor patches immediately** — check your distribution’s security advisory page 3. **Audit multi-tenant environments** — shared Kubernetes nodes, hosting servers, CI/CD runners 4. **Assume any unprivileged shell access is game over** — this is not theoretical 5. **Monitor for the `copy.fail` PoC** — a single Python script is all it takes --- ## The Bottom Line CVE-2026-31431 is a reminder that logic bugs can be just as devastating as memory corruption — and sometimes more reliable. A nine-year-old flaw in the Linux kernel’s crypto API means that right now, somewhere, an attacker is escalating from `www-data` to root with a script that fits in a single file. The question isn’t whether this will be exploited at scale. It’s whether your systems will be patched before it happens to you. --- *Sources: Ars Technica, Bugcrowd Blog, Theori Research, Jorijn Schrijvershof, Will Dormann, Linux Kernel Mailing List* *CVE: CVE-2026-31431 | CVSS: High | Affected: Linux kernels 5.10+ through 6.12*