A high-severity logic bug in the Linux kernel allows unprivileged attackers to write code to other files’ memory and obtain root shell, cybersecurity firm Theori reports.
Tracked as CVE-2026-31431 (CVSS score of 7.8) and dubbed Copy Fail, the issue is believed to affect all Linux distributions since 2017.
The security defect impacts the kernel’s authencesn Authenticated Encryption with Associated Data (AEAD) template, which IPsec uses for Extended Sequence Number (ESN) support.
According to Theori, the issue is that Linux places page cache pages in a writable scatterlist, that authencesn uses the caller’s destination scatterlist as scratch space, and that a 2017 optimization put page cache pages in the writable scatterlist.
When performing byte rearrangement in the scratch space, authencesn makes a call that writes four bytes of code past the AEAD tag, into the cached copy of another file.
Copy Fail allows an attacker with local code execution privileges to modify the in-memory copy of any setuid-root binary readable by the user, thus achieving root shell access, Theori explains.
According to the company, successful exploitation can be achieved with a simple 732-byte Python script, on essentially any Linux distribution shipped since 2017.
The vulnerability poses a high risk for multi-tenant Linux environments, as well as for shared-kernel containers and CI runners executing untrusted code. The main threat, Theori says, is that all changes are made directly in memory, and the file on disk remains unmodified.
Copy Fail differs from both Dirty Pipe, a page cache corruption flaw that abuses pipe buffer flags, and Dirty Cow, which exploits a race condition in the COW path, the company says.
Organizations are advised to update their Linux distributions to a fixed version as soon as possible, especially in environments running untrusted workloads. According to Theori, page cache is shared across containers, and the bug leads to node and cross-tenant compromise.
The patches rolled out for Copy Fail remove the optimization introduced in 2017, reverting to out-of-place operation and removing the mechanism that “linked page cache tag pages into the writable destination scatterlist,” Theori notes.
Related: Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access
Related: No Patch for New PhantomRPC Privilege Escalation Technique in Windows
Related: OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 Years
Related: Incomplete Windows Patch Opens Door to Zero-Click Attacks
