A newly disclosed Linux kernel vulnerability is exposing a pathway for unprivileged users to gain full admin control on a wide range of systems. The flaw, identified as CVE-2026-31431 and dubbed Copy Fail, affects nearly all major Linux distros released over the past eight years.

The issue stems from a logic error in the kernel’s cryptographic subsystem, specifically within a component responsible for handling authenticated encryption operations. This flaw allows a local user to write a small amount of controlled data into the kernel’s page cache, a mechanism the OS uses to speed up file access. While the modification is small in size, it is enough to alter how privileged programs execute.

“The risk is highest in any environments where namespace isolation (which containers provide) is assumed to be sufficient to protect tenants from one another,” said Uzair Gadit, CEO and founder of Secure.com. “The boundaries that hold are the ones that don’t share a kernel. For example, AWS Lambda and Fargate run on Firecracker microVMs, with separate kernels per tenant and no shared page cache. Cloudflare Workers run on V8 isolates, with no Linux kernel in the threat model at all. gVisor interposes a user-space kernel that does not share the host’s algif_aead.”

Furthermore, he added: “Development infrastructures, cloud and containerization, CI/CD pipelines and serverless and sandboxing environments are all at risk.”

Discovered by AI Tools

The flaw was identified with the assistance of AI-driven analysis tools, part of a growing trend that is increasing the speed and volume of security findings.

Major Linux distros, including Debian, Ubuntu, Red Hat Enterprise Linux, and SUSE, have begun issuing patches. The fix involves reverting the kernel behavior that introduced the vulnerability, with updates already integrated into newer kernel versions. But patch adoption across enterprise environments will take time, especially in systems with strict change management processes.

In the meantime, security pros are evaluating mitigation strategies like disabling the affected cryptographic interface. While effective, these measures may disrupt certain system functions, requiring assessment before deployment.

Researchers demonstrated that a script measuring just a few hundred bytes can modify a setuid binary (a type of program that runs with elevated privileges) and ultimately grant root access. Unlike many earlier privilege escalation vulnerabilities, the exploit does not rely on race conditions or complex timing, making it both reliable and easier to execute.

Part of the problem here is that, because the attack modifies data in the page cache rather than on disk, standard file integrity monitoring tools may not detect changes. When the system later loads the affected binary, it executes the altered version without triggering typical security alerts.

The episode reinforces the need for defense-in-depth approaches that account for failures at the kernel level, an area usually considered to be secure but increasingly subject to scrutiny.