Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Exploit released publicly Code for a yet-to-be-patched security vulnerability that grants root access to nearly all versions of Linux is setting off alarm bells as defenders scramble to stave off severe compromises inside data centers and on personal devices.
It was the vulnerability and the exploit code that exploited it Released on Wednesday evening By researchers from security firm Theori, five weeks after it was privately disclosed to the Linux kernel security team. The team patched the vulnerability in releases 7.0, 6.19.12, 6.18.12and 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254) but few Linux distributions have integrated these fixes at the time of releasing the exploit.
One script to hack them all
The critical flaw, tracked as CVE-2026-31431 and named CopyFail, is a local privilege escalation, a class of vulnerability that allows unprivileged users to elevate themselves to administrator level. CopyFail is particularly dangerous because it can be exploited using a single piece of exploit code — released in a disclosure on Wednesday — that runs across all vulnerable distributions without any modification. Through this, an attacker can, among other things, compromise multi-tenant systems, compromise Kubernetes-based containers or other frameworks, and create malicious pull requests that transmit exploit code. CI/CD Work flows.
“The term ‘local privilege escalation’ sounds dry, so let me explain it,” researcher Juren Schrivershoff Thursday wrote. “That means: An attacker who already has some way to run code on the device, even the most bored and disadvantaged user, can upgrade himself to root. From there he can read every file, install backdoors, watch every process, and morph into other systems.”
Schrijvershof added that the same Python script Theori released worked reliably for Ubuntu 22.04, Amazon Linux 2023, SUSE 15.6, and Debian 12. The researcher continued:
Why does this matter on shared infrastructure? Because “on-premises” covers a lot of things in 2026: every container on a shared Kubernetes node, every tenant on a shared hosting box, every CI/CD task running untrusted pull request code, every WSL2 instance on a Windows laptop, every AI agent in a container granted access. They all share a single Linux kernel with their neighbors. The LPE kernel collapses those boundaries.
A realistic threat chain looks like this. An attacker exploits a known vulnerability in a WordPress plugin and gains access to a shell named www-data. They run the Copy.fail PoC. They are now rooted on the host. Every other tenant is suddenly accessible, the way you walked into this post-mortem hack. The vulnerability does not lead to the attacker gaining access to the box; It changes what happens in the next 10 seconds after they land there.
The vulnerability stems from a “straight line” logic flaw in the kernel’s cryptographic API. Many exploits Racing conditions Memory corruption flaws do not work consistently across kernel versions or distributions, sometimes even on the same machine. Because the code released for CopyFail exploits a logic flaw, “reliability is not a possibility, and the same script runs across distributions,” researchers from Bugcrowd said. books. “No race window, no kernel offset.”
CopyFail gets its name because the EAAD authentication template process (used for extended IPsec sequence numbers) doesn’t actually copy the data when it should. Instead, it “uses the caller’s destination buffer as a scratchpad, scribbles 4 bytes past the legitimate output area, and never gets it back,” Theory said. A copy of the AAD ESN bytes “fails” to remain within the destination buffer.
The worst Linux vulnerability in years
Other security experts echoed the view that CopyFail poses a serious threat Saying It’s “the worst weakness that’s been rooting me in the core lately.”
The latest security vulnerability in Linux was Dirty pipes From 2022 and Dirty cow In 2016. Both of these were vulnerabilities Actively exploited In the wild.