“The POC exploit works out of the box today, but a future version that can escape from containers like Docker is promised soon,” writes Slashdot reader tylerni7<\/a>. “Technical details are available here<\/a>.”<\/p>\n\n\n\n https:\/\/it.slashdot.org\/story\/26\/04\/30\/207231\/new-linux-copy-fail-vulnerability-enables-root-access-on-major-distros<\/em><\/a><\/p>\n<\/blockquote>\n\n\n\n Versions 10 Total<\/p>\n\n\n\n Default Status: affected<\/p>\n\n\n\n affected<\/p>\n\n\n\n unaffected<\/p>\n\n\n\n https:\/\/www.cve.org\/CVERecord?id=CVE-2026-31431<\/em><\/a><\/p>\n<\/blockquote>\n\n\n\n https:\/\/nerds.xyz\/2026\/04\/copy-fail-linux-root-exploit\/<\/a><\/p>\n\n\n By Brian Fagioli<\/p>\n\n\n\n I\u2019m not gonna sugarcoat this one, folks. A new Linux kernel bug just dropped, and it\u2019s the kind of thing that makes you stop and stare at your screen for a second. Not because it\u2019s complicated, but because it isn\u2019t.<\/p>\n\n\n\n The vulnerability, CVE-2026-31431<\/a>, is being called \u201cCopy Fail<\/a>,\u201d and yeah, the name fits. A tiny 732-byte script can give a regular user full root access. No race conditions. No timing tricks. No crashing the system ten times hoping one sticks. It just works. Every time.<\/p>\n\n\n\n That alone would be bad enough. But it gets worse the more you read.<\/p>\n\n\n\n This isn\u2019t some obscure distro-specific issue either. It hits basically everything. Ubuntu, Amazon Linux, RHEL, SUSE. Same script, same result. You don\u2019t need to tweak offsets or rebuild anything. You just run it and suddenly you\u2019re root. That kind of reliability is rare in exploits, and it\u2019s not something you want to see.<\/p>\n\n\n\n What really makes this one feel gross is how it works. The attacker doesn\u2019t actually change files on disk. Instead, it quietly corrupts the page cache, which is what the system uses when it reads and executes files. So the file looks perfectly fine if you check it. Checksums match. Nothing appears modified. But in memory, it\u2019s been altered.<\/p>\n\n\n\n And guess what the kernel trusts? That in-memory version.<\/p>\n\n\n\n So you take something like \/usr\/bin\/su, which runs with elevated privileges, inject a few bytes into its cached copy, and then execute it. Boom. Root shell. The disk never changed, so your usual detection tools just shrug and move on.<\/p>\n\n\n\n That\u2019s the part that really stings. It\u2019s stealthy in a way that feels almost unfair.<\/p>\n\n\n\n We\u2019ve seen scary Linux bugs before. Dirty COW was messy and unreliable. Dirty Pipe was clever but limited. This one is clean. Straight-line. Predictable. It doesn\u2019t even try to hide how effective it is.<\/p>\n\n\n\n And then there\u2019s the container angle, which might be the most unsettling piece of all. Because the page cache is shared, this isn\u2019t just a local problem. In the right setup, this can jump across containers. That means a low-privilege process inside a container could potentially mess with the host or neighboring workloads. If you\u2019re running multi-tenant infrastructure, that should make your stomach drop a bit.<\/p>\n\n\n\n The root cause is basically a bad assumption in the kernel\u2019s crypto subsystem. A specific mode called authencesn writes a few bytes past where it should, and thanks to how the kernel wires things together with AF_ALG and splice, those bytes land directly in the cached contents of a file. That\u2019s it. Four bytes in the wrong place, and the whole system falls apart.<\/p>\n\n\n\n What\u2019s wild is how long this sat there. Years. Quietly. No alarms. No obvious signs. Just waiting for someone to connect the dots.<\/p>\n\n\n\n The fix is already being pushed, and it basically rips out the optimization that made this possible. Which is kind of the theme here, right? A performance tweak from years back ends up opening the door to something nasty.<\/p>\n\n\n\n So yeah, patch your systems. Immediately. Don\u2019t wait. Don\u2019t assume your distro has it handled already. Check.<\/p>\n\n\n\n Because this isn\u2019t one of those \u201cmaybe exploitable in a lab\u201d bugs. This is the opposite. It\u2019s simple, portable, and reliable. That\u2019s a bad combination.<\/p>\n\n\n\n Linux isn\u2019t broken, but moments like this are a reminder that even the stuff we trust the most can have cracks. And sometimes those cracks are just four bytes wide.<\/p>\n\n\n\n\n
\n
\n
![\"Sick](\"https:\/\/nerds.xyz\/wp-content\/uploads\/2026\/04\/Sick-penguin-Unsplash-.png\")
<\/figure>\n\n\n\n