A new “zero-day” vulnerability, reported to have existed in the Linux kernel since 2017 and identified with the help of the AI-based analysis tool “Xint Code,” has been discovered. Tracked as CVE-2026-31431 and entitled “Copy Fail”, the flaw allows attackers to escalate privileges and obtain “root” access on affected systems.
The vulnerability is reported to affect a number of major Linux distributions released since 2017, including Ubuntu, Amazon Linux, Red Hat Enterprise Linux, SUSE and others. Researchers state that exploitation of this flaw does not require complex mechanisms or specially crafted exploits.
It is noted that the vulnerability can be exploited using a 732-byte Python script relying on standard library modules and the same exact script works on every tested distribution without modification.
The root cause lies in the combination of three independent kernel changes introduced between 2011 and 2017. While none of these changes were problematic in isolation, their interaction resulted in a security flaw. As a result, an attacker can perform a controlled 4-byte modification in a setuid binary on the system. This seemingly minor change enables a user with limited privileges to gain root access.
According to researchers, the same mechanism may also cause a risk to Kubernetes environments. Since the Linux page cache is shared across all processes, including containers, a compromised pod could potentially corrupt a setuid binary on the host system and bypass tenant isolation boundaries within Kubernetes.
It is noted that, as part of the remediation, a change has been introduced in the Linux kernel affecting the “algif_aead” component. The update reverts the previously implemented in-place operation and restores out-of-place processing for cryptographic operations. Users and system administrators are advised to update the kernel and apply the relevant security patches. Organizations that cannot immediately patch should disable the “algif_aead” kernel module as a temporary mitigation measure. According to available information, this step is not expected to have a measurable impact on the vast majority of systems.
References:
29 April 2026
29 April 2026
27 April 2026
27 April 2026
24 April 2026
23 April 2026
22 April 2026
21 April 2026
© 2011-2026 All rights reserved
