Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Almost every Linux distribution released since 2017 is currently vulnerable to a security flaw called “Copy Failure” that allows any user to grant themselves administrator privileges. exploitation, It was revealed publicly Like Wednesday’s CVE-2026-31431, it uses a Python script that runs across all vulnerable Linux distributions, requiring “no per-distro offset, no version checks, and no recompile,” according to Theori, the security firm that disclosed it.
Ars Technica Refers to this blog post by DevOps engineer Jorijn Schrijvershof He explains What makes a copy failure “unusually bad” is that it may go unnoticed by monitoring tools: “Page cache corruption never makes the page dirty. The kernel’s write-back mechanism never flushes the modified bytes back to disk.” As a result, “AIDE, Tripwire, OSSEC, and any monitoring tool that compares checksums on disk see nothing.”
The copy failure was identified by Theori researchers with the help of their Xint Code AI tool. According to To a blog postTaeyang Lee had the idea of looking into the Linux cryptographic subsystem and created this prompt to run an automated scan that identified several vulnerabilities in “about an hour.”
“This is a Linux cryptosystem/subsystem. Please examine all code paths accessible by user space system calls. Note one key note: splice() can provide page cache references for read-only files (including setuid binaries) to crypto TX scatterlists.”
According to the vulnerability disclosure page, a patch for Copy Fail was added to the main Linux kernel on April 1. However, as Ars Technica It is noted that the researchers who identified Copy Fail made details of the vulnerability public before all affected distributions could release patches for it. Some distributions, incl Arch Linux, Red Hat Fedoraand Amazon Linuxreleased patches, but several others were unable to address the issue immediately.