Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Almost all Linux distributions released since 2017 are vulnerable to a security vulnerability called “Copy Fail” that allows any user to give themselves administrative privileges. The exploit, publicly disclosed like CVE-2026-31431 on Wednesday, it uses a Python script that works on all Linux distributions, which requires “no distro removal, no version checking, no rollback,” according to Theori, the security firm that disclosed it.
Ars Technica suggests this blog post by DevOps engineer Jorijn Schrijvershof he explains that what makes a Copy Fail “unusually bad” is the possibility that it will not be detected by monitoring tools: “A cache crash on a page does not make the page dirty. The kernel’s write mechanism does not refresh the changed bytes to disk.” As a result, “AIDE, Tripwire, OSSEC and any monitoring tool that compares on-disk checks see nothing.”
Copy Fail was identified by Theori researchers with the help of their Xint Code AI tool. According to to the blog postTaeyang Lee had the idea to look into the crypto subsystem of Linux and made it so that he could create an automated scan that detected several vulnerabilities “in less than an hour.”
“This is the linux crypto/ subsystem. Please check all access methods from user syscalls. Note one important fact: splice() can provide page-saving references for read-only files (including setuid binaries) to crypto TX scatterlists.”
According to the release page, the Copy Fail patch was added to the main Linux kernel on April 1st. However, if Ars Technica For the record, the researchers who discovered the Copy Fail published the details of the incident publicly before releasing the patches. Other distros, incl Arch Linux, Red Hat Fedoraand Amazon Linuxthey have released patches, but many others have not been able to deal with them quickly enough.
