The Copy Fail vulnerability (CVE-2026-31431, CVSS 7.8) is a local privilege escalation flaw in the Linux kernel's `authencesn` cryptographic template, allowing an unprivileged user to write controlled bytes into the page cache of a readable file to modify a setuid binary and gain root access. Major distributions including Debian, Ubuntu, SUSE, and Fedora have issued patches; Red Hat has also updated its guidance to indicate prompt patching. This flaw is of particular concern for multi-tenant systems, shared-kernel containers, and CI/CD runners, as it can serve as a container escape primitive.
OSes Linux cryptographic code flaw offers fast route to root Patches land for authencesn flaw enabling local privilege escalation Thomas Claburn Thu 30 Apr 2026 // 00:01 UTC Developers of major Linux distributions have begun shipping patches to address a local privilege escalation (LPE) vulnerability arising from a logic flaw. The newly disclosed LPE, dubbed Copy Fail (CVE-2026-31431), comes from a vulnerability in the Linux kernel's authencesn cryptographic template. "An unprivileged local user can write four controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root," the writeup from security biz Theori explains. The kernel reads the page cache when it loads a binary, so modifying the cached copy amounts to altering the binary for the purpose of program execution. But doing so doesn't trigger any defenses focused on file system events like inotify . The proof of concept exploit is a 10-line, 732-byte Python script capable of editing a setuid binary to gain root on almost all Linux distributions released since 2017. Copy Fail is similar to other LPE bugs such as Dirty Cow and Dirty Pipe, but its finders claim it doesn't require winning a race condition and it's more broadly applicable. It's not remotely exploitable on its own – hence LPE – but if chained with a web RCE, malicious CI runner, or SSH compromise, it could be relevant to an external attacker. The bug is of most immediate concern to those using multi-tenant Linux systems, shared-kernel containers, or CI runners that execute untrusted code. According to Theori, the vulnerability also represents a potential container escape primitive that could affect Kubernetes nodes, because the page cache is shared across the host. AWS plants more tombstones in the application graveyard AWS keynote hypes AI as magic. Its own engineers tell a different story Microsoft's patch for a 0-day exploited by Russian spies fell short. Another Windows flaw is under attack Fedora 44 is out – countless versions of it Linux distros Debian , Ubuntu , and SUSE have issued patches for the problem, as have overseers of other distros. Red Hat initially said it was going to defer the fix but later changed its guidance to indicate it will go along with other distros and patch promptly. The CVE has been rated High severity, 7.8 out of 10 . Theori researcher Taeyang Lee identified the vulnerability, with the help of the company's AI security scanning software, Xint Code. The number of bug reports has surged in recent months, helped by AI-powered flaw-finders . Microsoft just reported the second largest number of patches ever. Dustin Childs, head of threat awareness for Trend Micro's Zero Day Initiative, expects this is due to security teams using AI to hunt bugs. "There are many things we could speculate on to justify the size, but if Microsoft is like the other programs out there (including ours), they are likely seeing a rise in submissions found by AI tools," he wrote earlier this month. AI-assisted vulnerability research recently prompted the Internet Bug Bounty (IBB) program to suspend awards until it can understand how to manage the growing volume of reports. ® Share More about Enterprise Linux Security More like these × More about Enterprise Linux Security Software Narrower topics 2FA AdBlock Plus Advanced persistent threat App Application Delivery Controller Asahi Linux Audacity Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CentOS CHERI CISO Common Vulnerability Scoring System Confluence Cybercrime Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Database Data Breach Data Protection Data Theft DDoS Debian DEF CON Digital certificate Encryption End Point Protection Exploit Fedora Firewall FOSDEM GNOME Google Project Zero Grab Graphics Interchange Format Hacker Hacking Hacktivism IDE Identity Theft Image compression Incident response Infosec Infrastructure Security Jenkins Kenna Security Legacy Technology LibreOffice Linux Foundation Map Microsoft 365 Microsoft Office Microsoft Teams Mobile Device Management NCSAM NCSC One Way Forward OpenOffice Palo Alto Networks Password Personally Identifiable Information Phishing Programming Language QR code Quantum key distribution Ransomware Remote Access Trojan Retro computing REvil Rimini Street RSA Conference Search Engine Software Bill of Materials Software bug Software License Spamming Spyware Surveillance Text Editor TLS Trojan Trusted Platform Module User interface Visual Studio Visual Studio Code Vulnerability Wannacry WebAssembly Web Browser Windows Subsystem for Linux WordPress Zero trust Broader topics FOSS Linus Torvalds Operating System More about Share POST A COMMENT More about Enterprise Linux Security More like these × More about Enterprise Linux Security Software Narrower topics 2FA AdBlock Plus Advanced persistent threat App Application Delivery Controller Asahi Linux Audacity Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CentOS CHERI CISO Common Vulnerability Scoring System Confluence Cybercrime Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Database Data Breach Data Protection Data Theft DDoS Debian DEF CON Digital certificate Encryption End Point Protection Exploit Fedora Firewall FOSDEM GNOME Google Project Zero Grab Graphics Interchange Format Hacker Hacking Hacktivism IDE Identity Theft Image compression Incident response Infosec Infrastructure Security Jenkins Kenna Security Legacy Technology LibreOffice Linux Foundation Map Microsoft 365 Microsoft Office Microsoft Teams Mobile Device Management NCSAM NCSC One Way Forward OpenOffice Palo Alto Networks Password Personally Identifiable Information Phishing Programming Language QR code Quantum key distribution Ransomware Remote Access Trojan Retro computing REvil Rimini Street RSA Conference Search Engine Software Bill of Materials Software bug Software License Spamming Spyware Surveillance Text Editor TLS Trojan Trusted Platform Module User interface Visual Studio Visual Studio Code Vulnerability Wannacry WebAssembly Web Browser Windows Subsystem for Linux WordPress Zero trust Broader topics FOSS Linus Torvalds Operating System TIP US OFF Send us news