A flaw in the Linux kernel present since 2017 allows a local user to gain root access on virtually every major Linux distribution. A public exploit is available and reported to work reliably.
Key Takeaways
- CVE-2026-31431 is a high severity local privilege escalation vulnerability in the Linux kernel reportedly affecting virtually every major distribution released since 2017.
- A public exploit is available and reported to be reliable, drawing comparisons to previous high-profile Linux kernel privilege escalation flaws.
- Patched kernel versions are available, though some major distributions have not yet shipped updates.
Background
Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding CVE-2026-31431, a Linux kernel local privilege escalation vulnerability dubbed “Copy Fail.”
FAQ
When was Copy Fail first disclosed?
On March 23, researcher Taeyang Lee of Theori reported the vulnerability to the Linux kernel security team. The flaw was discovered in part using Theori’s AI-assisted security scanning tool, Xint Code. A mainline patch was committed on April 1, CVE-2026-31431 was assigned on April 22 and public disclosure occurred on April 29.
What is CVE-2026-31431?
CVE-2026-31431 is a local privilege escalation vulnerability in the Linux kernel’s cryptographic subsystem. It was assigned a CVSSv3 score of 7.8.
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2026-31431 | Linux Kernel Local Privilege Escalation Vulnerability | 7.8 |
The flaw allows a local user to modify the kernel’s cached copy of a file in memory without changing the file on disk. By targeting a privileged binary, an attacker can gain root access. Because the modification exists only in the page cache, the underlying file on disk remains unchanged. Standard disk forensics would not detect the alteration, and clearing memory through a reboot or resource pressure causes the cache to reload from the original file. For a detailed technical breakdown, refer to the Xint Code blog post.
Everyone focuses on memory corruption bugs in the Linux kernel, but we shouldn’t overlook logical bugs. https://t.co/PrSI435i35
— 5unkn0wn (@5unKn0wn) April 30, 2026
How does Copy Fail compare to Dirty Cow and Dirty Pipe?
Copy Fail has drawn comparisons to two other well-known Linux kernel privilege escalation vulnerabilities: Dirty Cow (CVE-2016-5195) and Dirty Pipe (CVE-2022-0847). Both are in the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog.
Dirty Cow relied on a race condition, which meant exploitation could fail or require multiple attempts. Dirty Pipe had constraints around how data could be written and where in a file it could be modified. Copy Fail reportedly works consistently across distributions without relying on a race condition or write-position constraints.
How severe is CVE-2026-31431?
Any local user on a system running a vulnerable kernel can exploit this flaw to gain root access. The exploit uses kernel features that are enabled by default on most distributions and does not require special privileges or configuration.
The highest risk environments are those where multiple users or workloads share a Linux kernel: cloud and multi-tenant systems, container clusters and CI/CD pipelines that run untrusted code. Because the exploit targets the kernel’s shared file cache, it can also cross container boundaries. On single-user systems, the risk is lower since an attacker would already need local access.
Which Linux distributions are affected?
Any Linux distribution shipping kernel 4.14 or later is affected. The vulnerability was introduced in 2017 and persisted across nearly a decade
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: