"Copy Fail": Linux root in all major distributions with 732 bytes of Python

IT researchers have discovered a vulnerability in the Linux kernel that attackers can exploit to gain root privileges. The discoverers have named the vulnerability “Copy Fail.” Virtually all Linux distributions available since 2017 are said to be affected.

This is reported by the IT researchers in a blog post, but the report is even worth its domain. They apparently discovered the vulnerability using the AI tool Xint Code. It is a logic error that allows local users on the system to perform a deterministic, controlled 4-byte write access to the page cache of any readable filesystem on a computer. With a 732-byte Python script, researchers manage to manipulate a binary file with the setuid flag and thus gain root privileges (CVE-2026-31431, CVSS 7.8, Risk “high”).

The IT security researchers further explain that the kernel does not mark the manipulated page as “dirty” for writing back to disk, so the file remains unchanged and simple checksum checks do not detect the manipulation. However, during actual file access, the page cache is used. This also allows breaking container boundaries, as the page cache is shared on the host. Specifically, the IT researchers announce that they will publish further details discussing breakouts from Kubernetes containers.

Error in the crypto subsystem

Although the finding was AI-assisted, it was based on investigations into the interaction of the Linux crypto subsystem with page cache data. Interested parties can find very in-depth details in the blog post. There, the programmers also present a proof-of-concept exploit. The Python script is 732 bytes in size and grants local attackers root privileges on, for example, Ubuntu 24.04 LTS with kernel 6.17.0-1007-aws, Amazon Linux 2023 with kernel 6.18.8-9.213.amzn2023, RHEL 10.1 and kernel 6.12.0-124.45.1.el10_1, and SUSE 16 with kernel 6.12.0-160000.9-default. At least the discoverers of the vulnerability have successfully tested these combinations.

The IT researchers also provide a fix for the kernel source code. Updated kernels should now be available from major distributions. As a temporary countermeasure, however, blocking AF_ALG socket creation via seccomp or blacklisting the algif_aead module so that the kernel does not load it should help: echo “install algif_aead /bin/false” > /etc/modprobe.d/disable-algif-aead.conf && rmmod algif_aead 2>/dev/null in the terminal does this and also unloads the module from memory.

Just a few days ago, Telekom used AI to discover the vulnerability “Pack2TheRoot” in the Linux kernel. This is also a privilege escalation vulnerability that could be exploited in several Linux distributions in their default configurations.

(dmk)