Cybersecurity researchers disclosed a Linux local privilege escalation flaw, tracked as CVE-2026-31431, that could let an unprivileged local user gain root on systems running Linux distributions shipped since 2017.
KEY FACTS
- Severity The flaw has a CVSS score of 7.8.
- Name Researchers at Xint.io and Theori call it Copy Fail.
- Impact A local user could write four controlled bytes into the page cache of readable files.
- Scope The issue can affect Amazon Linux, RHEL, SUSE and Ubuntu.
The technical analysis from Xint.io and Theori says the flaw comes from a logic error in the Linux kernel cryptographic subsystem, specifically in the algif_aead module. The issue was introduced in an August 2017 source code commit.
The researchers said exploitation could be done with a 732-byte Python script that edits a setuid binary and then uses it to obtain root. The outlined steps involve opening an AF_ALG socket, building a shellcode payload, triggering a write to the kernel cache for /usr/bin/su, and calling execve on that file.
The vulnerability is not remotely exploitable on its own, but it can be triggered by a local user and can affect multiple containers because the page cache is shared across processes on a system. Linux distributions including Amazon Linux, Debian, Red Hat Enterprise Linux, SUSE and Ubuntu have issued advisories about the flaw.
The report compares Copy Fail with Dirty Pipe, another Linux kernel privilege escalation bug that allowed unprivileged users to splice data into the page cache of read-only files. Bugcrowd described Copy Fail as the same class of primitive in a different subsystem.
WHY IT MATTERS
The flaw matters because it is described as portable, small and reliable, with no race condition or kernel offset required. That combination could make it easier for a low-privileged local account to escalate access and move across sandbox boundaries on affected Linux systems.