Copy Fail CVE-2026-31431 AI-discovered 732-byte exploit roots every Linux since 2017
CVE-2026-31431, codenamed Copy Fail, is one of the most consequential Linux kernel vulnerabilities in the last decade.
At its core is a 732-byte Python script (stdlib only, Python 3.10+) that reliably elevates from unprivileged user to root on Ubuntu, RHEL, Amazon Linux, SUSE, and every other mainstream distribution. No race condition. No per-distro offsets. 100% success rate on a single shot.
The mechanism:
A logic bug in the kernel’s authencesn module, introduced via an in-place optimization in 2017, writes 4 bytes past the legitimate output buffer when processing AEAD operations through AF_ALG sockets. When splice() feeds page-cache pages into the crypto subsystem, those 4 bytes land in the kernel’s page cache — the same in-memory copy the kernel reads via execve.
An attacker can modify cached pages of a setuid binary like /usr/bin/su, and the next invocation grants root. Nothing changes on disk. File integrity tools detect nothing after the page is evicted or the system reboots. It is the latest member of the Dirty Pipe family, but more reliable and portable than Dirty Cow (race-dependent) or Dirty Pipe (narrower kernel window).
Why this matters for AI infrastructure:
Copy Fail is not just a local privilege escalation — it is a container escape primitive. The page cache is shared across the host, meaning an attacker in one pod can cross tenant boundaries and compromise the entire node:
- Multi-tenant Linux hosts — any user becomes root.
- Kubernetes clusters — one pod compromises the node.
- CI runners (GitHub Actions, GitLab, Jenkins) — a malicious PR roots the runner.
- Agent sandboxes and serverless functions — tenant code breaks container isolation.
AI-discovered:
The vulnerability was found with AI assistance by security researcher Taeyang Lee at Xint Code. Xint Code’s system audited the entire Linux crypto/ subsystem in roughly one hour. Copy Fail was the highest-severity finding in the run — a proof point that AI-assisted security auditing has reached the big leagues.
Mitigation:
Major distributions are shipping the fix (mainline commit a664bf3d603d). Before patching, disable the algif_aead module: echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf. For containers and sandboxes running untrusted workloads, block AF_ALG socket creation via seccomp regardless of patch status.