The vulnerability was discovered by **Theori**, an offensive security company, using its AI-driven pentesting platform **Xint Code** after scanning the Linux crypto subsystem for about an hour. **Theori** reported the finding to the Linux kernel security team on March 23rd, and patches were made available within a week. Technical details and a proof-of-concept exploit emerged publicly shortly after. Although the cybersecurity company developed and tested a "100% reliable" Python-based exploit for four Linux distributions (**Ubuntu 24.04 LTS**, **Amazon Linux 2023**, **RHEL 10.1**, and **SUSE 16**), the researchers claim that the 732-byte script roots every Linux distribution shipped since 2017. ### Copy Fail Root Cause In a [detailed write-up](https://xint.io/blog/copy-fail-linux-distributions), the researchers explain that the Copy Fail (**CVE-2026-31431**) issue "is a logic bug in the Linux kernel's authencesn cryptographic template" that allows an authenticated user to reliably perform a "4-byte write into the page cache of any readable file on the system." By combining the ‘AF_ALG’ socket-based interface, which grants access to the Linux kernel crypto functions from user space, and the `splice()` system call, an unprivileged user can make a 4-byte controlled write in the page cache of a file, instead of a normal buffer. If those 4 bytes hit a setuid-root binary, they can alter its behavior when executed, granting the attacker root privileges. The flaw was introduced in 2017 when the Linux kernel team added an “in-place” optimization to the crypto path, meaning it began reusing the same buffer rather than keeping input and output strictly separate. ### Impact and Fixes **Theori's** Proof-of-Concept (PoC) is a consistently effective 732-byte exploit that grants root access to every major Linux distribution running on a vulnerable Linux Kernel version, according to the researchers. They demonstrated and confirmed the [Copy Fail](https://copy.fail/) exploit on **Ubuntu 24.04**, **Amazon Linux 2023**, **RHEL 10.1**, and **SUSE 16**:  Copy Fail is characterized as being closer to the ‘[Dirty Pipe](https://www.bleepingcomputer.com/news/security/new-linux-bug-gives-root-on-all-major-distros-exploit-released/)’ vulnerability than typical local privilege escalation flaws, is more reliable (claimed 100% success), and is more broadly exploitable than most bugs in this class. Even when compared to Dirty Pipe, Copy Fail is deemed more practical. “Copy Fail is more portable. One script, every distro, no offsets. Dirty Pipe needed kernel ≥ 5.8 with specific patches; Copy Fail covers the entire 2017–2026 window,” **Theori** researchers note. [CVE-2026-31431](https://nvd.nist.gov/vuln/detail/CVE-2026-31431) was fixed upstream on April 1st by reverting the problematic “in-place” crypto behavior introduced in the Linux kernel version 4.14 in 2017. The fixes were made available in versions 6.18.22, 6.19.12, and 7.0. According to the researchers, major Linux distributions are already pushing the fix via kernel updates. However, Tharros' principal vulnerability analyst, Will Dormann, notes that there are no "official updates for CVE-2026-31431." "Fedora 42 and newer have updates, but no official advisory or acknowledgement of CVE-2026-31431," [Dormann says](http://infosec.exchange/@wdormann/116493725294723695). As an interim mitigation for those who haven’t received the updates yet, the researchers recommend disabling the vulnerable crypto interface, which would block AF_ALG socket creation, or disabling the algif_aead module: bash echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf rmmod algif_aead **Theori** researchers suggest treating multi-tenant Linux hosts, Kubernetes/container clusters, CI runners/build farms, and cloud SaaS running user code as a priority in the patching effort. ## [99% of What Mythos Found Is Still Unpatched.](https://hubs.li/Q04crVgD0) AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming. At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. [Claim Your Spot](https://hubs.li/Q04crVgD0)