Offensive security research firm Theori discovered a bug in the Linux kernel that, surprisingly, has existed since 2017. The flaw, dubbed Copy Fail and tracked as CVE-2026-31431, allows a regular user to take total control of a computer system.
The Xint Code Research Team at Theori used their AI-powered code auditing tool to find this hidden error after an initial lead from researcher Taeyang Lee. The problem lies in how Linux handles security tasks within its cryptographic subsystem, specifically the algif_aead module.
A Tiny Script with Massive Impact
You need to know about the page cache to understand this flaw. A Page cache is a part of computer memory that stores bits of files so they can be read quickly without checking the storage drive every time. Copy Fail happens because of a mistake in authencesn tool, which uses a security method called the AEAD algorithm to lock data and check for tampering.
When this tool tries to organise data for network security, it accidentally writes four bytes of information into the wrong place. Due to a separate speed-up change added to the Linux code in 2017, those four bytes end up inside the page cache of important files.
By using a Python script that is only 732 bytes long, threat actors can edit a file’s memory like /usr/bin/su (a program that runs with high privileges). So, while the file on the actual disk remains unchanged, the version running in the memory gets modified. This lets the attackers obtain a root shell, basically becoming the system administrator with the highest access level.
Why This Is Different
Most security flaws are hard to use because they either require perfect timing or multiple tries, but Copy Fail is different, as it’s a logic bug and works the same way every time. Xint Code researchers have found that the same simple script works on different versions of Linux, including Ubuntu 24.04 LTS, Amazon Linux 2023, Red Hat Enterprise Linux 10.1, and SUSE 16.
It also leaves minimal forensic traces since the changes happen in memory instead of the disk. That’s why many security tools that check for file integrity didn’t detect it in all these years. Even now, the discovery was made possible through scanning millions of lines of code using the Xint Code platform.
Linux has released a fix that changes how the system handles this data. From the code’s risky in-place method that was prone to leaking data into memory parts it wasn’t supposed to, the fix forces the system to make a safe copy of the data in a separate area, preventing any accidental overwrites.
Users are urged to update to the latest kernel patch, specifically commit a664bf3d603d, while those who cannot update immediately, experts suggest disabling the algif_aead module to block the path that hackers use without affecting daily apps like web browsers or SSH.
Expert Perspective
In a comment shared with Hackread.com, David Brumley, Chief AI and Science Officer at Bugcrowd, highlighted the extreme severity of the find.
“If you described this bug to a top kernel researcher… they’d tell you this is the kind of thing that, when it exists at all, tends to sell on the broker market for the price of a house,” Brumley noted. He explained that what makes Copy Fail so dangerous is its reliability across distributions: “This is a straight-line logic flaw. Reliability isn’t probabilistic, and the same script works across distributions.”
Brumley also warned that the “high” (rather than critical) severity score should not lead to complacency, especially for those using shared servers. “The page cache is shared. A write from one container affects the host page cache, and therefore every other tenant on that host,” he said. He concluded that this discovery marks a shift in cybersecurity: “Copy Fail shows that the assumption that finding a kernel-grade bug is expensive is false going forward… the cost of finding deep logic flaws may have dropped by something like an order of magnitude.”
