Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

‘Copy Fail’ Logic Flaw in Linux Kernel Enables System Takeover

Affecting the kernel’s authencesn cryptographic template, the vulnerability was introduced in 2017 and impacts all distributions.

Linux vulnerability

A high-severity logic bug in the Linux kernel allows unprivileged attackers to write code to other files’ memory and obtain root shell, cybersecurity firm Theori reports.

Tracked as CVE-2026-31431 (CVSS score of 7.8) and dubbed Copy Fail, the issue is believed to affect all Linux distributions since 2017.

The security defect impacts the kernel’s authencesn Authenticated Encryption with Associated Data (AEAD) template, which IPsec uses for Extended Sequence Number (ESN) support.

According to Theori, the issue is that Linux places page cache pages in a writable scatterlist, that authencesn uses the caller’s destination scatterlist as scratch space, and that a 2017 optimization put page cache pages in the writable scatterlist.

When performing byte rearrangement in the scratch space, authencesn makes a call that writes four bytes of code past the AEAD tag, into the cached copy of another file.

Copy Fail allows an attacker with local code execution privileges to modify the in-memory copy of any setuid-root binary readable by the user, thus achieving root shell access, Theori explains

Advertisement. Scroll to continue reading.

According to the company, successful exploitation can be achieved with a simple 732-byte Python script, on essentially any Linux distribution shipped since 2017.

The vulnerability poses a high risk for multi-tenant Linux environments, as well as for shared-kernel containers and CI runners executing untrusted code. The main threat, Theori says, is that all changes are made directly in memory, and the file on disk remains unmodified.

Copy Fail differs from both Dirty Pipe, a page cache corruption flaw that abuses pipe buffer flags, and Dirty Cow, which exploits a race condition in the COW path, the company says.

Organizations are advised to update their Linux distributions to a fixed version as soon as possible, especially in environments running untrusted workloads. According to Theori, page cache is shared across containers, and the bug leads to node and cross-tenant compromise. 

The patches rolled out for Copy Fail remove the optimization introduced in 2017, reverting to out-of-place operation and removing the mechanism that “linked page cache tag pages into the writable destination scatterlist,” Theori notes.

Related: Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access

Related: No Patch for New PhantomRPC Privilege Escalation Technique in Windows

Related: OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 Years

Related: Incomplete Windows Patch Opens Door to Zero-Click Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

BlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.

Solana Foundation has appointed Michael Coates as Chief Information Security Officer.

Michael Sikorski has joined Coinbase as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.