WILD Linux Root Exploit Found in Every Linux Distros

Added: 2026-05-31

[00:00:00]Something happened in 2017 that nobody noticed. A single optimization, three lines of code buried deep inside the Linux kernel's cryptographic engine, quietly shattered the most fundamental security promise any operating system can make. It did not trigger an alarm.

[00:00:15]It did not crash a single system. It did not raise one flag across nine full years of active exploitation window. And while the world kept running Linux on servers, cloud infrastructure, containers, AI clusters, and government systems, this flaw was already inside all of it, sitting perfectly still, perfectly silent, perfectly dangerous.

[00:00:34]This is copy fail. And it changes everything you thought you knew about Linux security. There is a number that should make every Linux administrator stop what they're doing and sit down.

[00:00:44]That number is nine. Nine years. For nine full years, from 2017 all the way to the present day, every major Linux distribution shipped to every corner of the world carried inside of it a security vulnerability so clean, so precise, and so devastatingly effective that when security researchers finally documented it, they did not bury it in a corporate advisory PDF or a dry kernel mailing list thread. They gave it its own website. You can go there right now.

[00:01:10]Type copy fail into your browser. It is real. It is live. And the vulnerability it describes, officially cataloged as CVE 2026 31431, is arguably one of the most significant privilege escalation flaws ever discovered in the Linux kernel. Not because it is the most complex vulnerability ever found. Not because it requires the most sophisticated tools or the deepest knowledge of kernel internals. Quite the opposite. It is significant precisely because of how terrifyingly simple it is and how completely it dismantles the security model that billions of devices depend on every single day. Most security vulnerabilities of this severity come with conditions attached. They require specific kernel versions, specific hardware configurations, or specific timing windows that are notoriously difficult to hit reliably in real production environments. Researchers who specialize in kernel exploitation will tell you that most local privilege escalation bugs are messy, unpredictable, and frequently crash the system before they succeed. They require what is known in the security community as a race condition. A situation where an attacker has to win a timing battle against the operating system itself, hitting a narrow window that might stay open for only microsconds before it closes again. These kinds of exploits fail under pressure. They crash systems.

[00:02:19]They leave traces and kernel logs. They are difficult to weaponize reliably at scale, but copy. Fail does none of that.

[00:02:26]The team that discovered it described it in a single phrase that should be engraved on the wall of every security operations center on the planet.

[00:02:33]Straight line logic flaw. No race condition, no timing window, no retries, no crashes, no kernel specific offsets to calculate. It just works every single time on every distribution against every configuration. And it does all of this with a Python script that is exactly 732 bytes long. Think carefully about what that means. 732 bytes. That is smaller than most email signatures. That is smaller than the average thumbnail image loaded on a web page. That is a script so small it fits inside a single text message with room to spare. And with that script on any Linux system built between 2017 and the patch date, which covers essentially the entire modern Linux ecosystem as it exists in production today, an attacker with nothing more than a regular unprivileged user account can elevate themselves to full root access. Not limited root, not partial administrative access with certain SIS calls blocked. Full unrestricted complete control over the entire system. The kind of access that lets you read every file, modify every configuration, delete every log, install anything you want, intercept every network connection, and do all of it while the system security tools sit there entirely unaware that anything unusual has taken place. Because here is the part that makes copy fail genuinely alarming beyond the privilege escalation itself. The real file sitting on disk is never touched. Not a single bite changes on the physical storage medium. The entire attack happens in memory in what the Linux kernel calls the page cache.

[00:03:58]While the operating systems in memory representation of files and when it is done, the disk still shows exactly what it always showed. Any file integrity monitoring system checking the disk sees nothing wrong. Any security scanner examining the binary sees the original unmodified file. The forensic trail is essentially non-existent. The attacker is root. the system appears completely clean. And without specialized memory forensics tools, nobody will ever know what happened. To understand why copy fail exists at all, you have to travel back further than 2017. You have to understand that this vulnerability was not born from a single careless mistake.

[00:04:33]It was not the result of one developer writing one reckless line of code on a Friday afternoon. What makes copy fail genuinely fascinating from a security research perspective and genuinely terrifying from an operational security perspective is that it emerged from the accumulated interaction of three completely separate individually reasonable engineering decisions made across a six-year period. Each decision made perfect sense when it was made.

[00:04:57]Each change was reviewed, tested, discussed, and merged into the mainline kernel by experienced developers who had no reason to suspect that anything dangerous was being introduced. And yet when you look at all three of them together through the lens of what they created, what you see is something that should profoundly disturb anyone responsible for the security of Linux infrastructure. The story begins in 2011. The Linux kernel development team was working on the cryptographic subsystem, specifically on a feature called AEA, authenticated encryption with associated data and within that a component handling 64-bit extended sequence numbers. The key technical detail for our purposes is this. In order to make certain cryptographic operations more efficient, the developers introduced a mechanism that allowed the crypto system to temporarily write data into memory as a kind of scratch space, a staging area, a place to hold intermediate results before the final output was produced. At the time this was added, it was entirely and demonstrabably safe. The scratch space was isolated from the rest of the system. Nothing could reach into it from outside and use it in a dangerous way.

[00:05:59]This is a completely standard engineering pattern used in cryptographic implementations across the industry. And in 2011, it behaved exactly as safely as it appeared to, but was also unknowingly the first piece of what would eventually become copy fail.

[00:06:13]Four years later, in 2015, a second significant component was added to the Linux kernel's cryptographic infrastructure. This was AFG, the algorithm socket interface, which gave unprivileged user space applications the ability to interact directly with the kernel's cryptographic functions without needing administrator privileges. This was a genuinely useful addition to the kernel. It allowed applications to offload expensive cryptographic operations to the kernel, reducing code duplication and improving performance across the system. It also gave those applications the ability to use file data stored in the page cache as the input for cryptographic operations which enabled some powerful and legitimate use cases. But here's the critical detail about the state of the system in 2015.

[00:06:58]Even though AFG could now work with page cachy data, the writable scratch space introduced in 2011 was still completely isolated from that data. The two pieces existed in the same cryptographic subsystem, but they did not connect to each other in a dangerous way. the attack surface that would eventually become copy. Fail did not yet exist. The system was still safe. Then came 2017 and with it the third and final piece.

[00:07:23]In pursuit of performance optimization, a completely legitimate engineering goal that drives enormous amounts of kernel development. A new variant of the AEAD implementation was introduced. This optimization changed something fundamental about how memory was managed in the cryptographic processing pipeline. It allowed the input and output of certain operations to share the same memory region. Instead of maintaining separate allocations for input data and output data, the optimized implementation reuse the same memory area for both read and write operations in a pattern called inplace processing. In the vast majority of contexts, this is a harmless and beneficial optimization. But in this specific code path, it had a consequence that nobody caught. The in place optimization connected the writable scratch space from a 2011 to the page cache data from 2015. The output side of certain cryptographic operations which had that dangerous writability baked into it since the AEA work 6 years earlier could now write directly back into page cache pages. And page cache pages represent the in-memory content of real files. Files like Yasar bins su files owned by root files that execute with root privileges when run by any user on the system. What researchers discovered when they finally analyzed these three pieces together was that the colonel's own cryptographic subsystem had been providing a mechanism to modify any readable files inmemory representation since 2017. Not through any intentional backdoor, not through any reckless decision, but through the silent invisible accumulation of three independent engineering choices, none of which were wrong in isolation, but whose combination produced something catastrophically dangerous. This is what security researchers call an emergent vulnerability. A flaw that does not exist in any single component but emerges from the way multiple components interact with each other across the system. Emergent vulnerabilities are the most difficult class of security bugs to find because no individual code review, no matter how thorough, can catch them without analyzing the entire system simultaneously across its full development history. And this is precisely why the tool that finally found copy fail was not a human researcher. It was artificial intelligence. The discovery of copy fail represents something genuinely new in the history of software security research. The vulnerability was identified by a team using a platform called Zenode. An AI powered security analysis tool designed to automatically scan large code bases by analyzing not just individual functions or files, but the relationships and interactions between components across an entire system over time. The human researcher who initiated the investigation was Tyang Lee, who had been studying the interaction between the Linux kernel's cryptographic subsystem and the page cache mechanism and had a theoretical intuition that the intersection of these two systems might be worth examining carefully. Manually auditing the entire crypto subsystem across its full development history would have required months of work for an experienced team of kernel security researchers. Using Zen code, Lee was able to scale that analysis across the complete subsystem in a fraction of that time. And copy fail was the most critical finding produced by that analysis. A designation that is worth pausing on because it implies that copy. Fail was not the only finding. The mechanics of how an attacker actually executes the exploit are worth understanding in detail because the simplicity of the attack path is central to why this vulnerability is so dangerous. The attack begins with something that any regular user account on any Linux system can do without any special permissions whatsoever. Opening an AFG socket. This is the interface added in 2015 that allows user space applications to access the kernel's cryptographic functions.

[00:10:55]Opening this socket requires no administrator privileges, no special configuration, no exploitation of any other vulnerability. It is available by default on essentially every mainstream Linux distribution because the kernel module that implements it is compiled into the default configuration that all major distributions ship. Any user who can log into a Linux system can open this socket. A web application running with highly restricted permissions can open the socket. A process running inside a container can open the socket.

[00:11:23]This is the entry point into the exploit and it requires nothing. Once the AFA ALG socket is open, the attacker selects a specific cryptographic mode that exercises the AEA code path containing the writable scratch space from 2011 and sets up the socket for what appears to the colonel to be a completely normal cryptographic operation. The target file is then identified in the proof of concept exploit released alongside the vulnerability disclosure. The target is dosarusr bin su the standard Unix utility that allows users to switch accounts and is always present on Linux systems with the setuid bit set meaning it executes with root privileges regardless of who runs it. The attacker then prepares a payload, a carefully crafted modification to the SU binary's in-memory code, delivered through the crypto socket in four byte increments using the colonel's own scatter gather interface, four bytes at a time, patient, methodical, and completely invisible to file system monitoring tools because not a single write is going to the disk. When the attacker triggers the exploit operation through the AFG socket, the colonel processes what it believes to be a legitimate cryptographic request. But because of the 2017 in place optimization, the output of the operation is written back into the same memory region that holds the page cache copy of a USRR bin sue.

[00:12:38]The kernel faithfully executing what it believes to be a standard crypto computation has just modified the in-memory representation of a root owned setuid binary based entirely on attacker controlled data. The disk copy of SU is completely unchanged. The file's metadata is unchanged. The file's cryptographic hash, if checked against the disk, produces the expected result.

[00:12:59]But the copy of Sue that lives in the kernel's page cache, the copy that will actually be loaded and executed when any user runs the sue command, now contains injected attacker code. When the attacker runs sue, the kernel executes the modified page cache version. The injected code runs with full root privileges and the attacker becomes root. The attack is complete in seconds and the system looks perfectly normal.

[00:13:21]The detection problem that copy.fail fail creates is not an academic concern.

[00:13:26]It is a genuine operational crisis for anyone responsible for monitoring the security of a Linux environment at scale. Traditional endpoint security tools, file integrity monitors, antivirus engines, security information and event management platforms are built on an assumption that has been foundational to Linux security for decades that malicious modifications to system binaries will be reflected on disk. These tools monitor inode changes, file hashes, and modification timestamps. They watch for unauthorized rights to sensitive directories. They look for known malicious code signatures and files. Copy.fail bypasses every single one of these detection mechanisms completely because it never touches the disk. The attack surface exists entirely in memory and the security industry has not built the monitoring infrastructure to inspect the page cache for unauthorized modifications at scale.

[00:14:13]There are no standard file system audit events generated by a page cache modification. There is no right to call to a file. There is no permission change, no ownership change, no modification timestamp update. The traces of the attack exist only in kernel memory and most security monitoring tools are simply not instrumented to look there. The container escape dimension of copy fail transforms an already serious local privilege escalation into something of a completely different threat category.

[00:14:38]Modern cloud infrastructure is built on a foundational assumption that containers provide meaningful isolation between workloads. This assumption underlies the entire architecture of Kubernetes clusters, containerbased CI/CD pipelines, multi-tenant application platforms, and serverless computing environments. The isolation is real for most threat models, but it has a critical dependency. The Linux kernel's page cache is shared across every container running on the same host. There is one page cache per kernel instance, and every container on that host reads from and writes to the same one. Copy.fail exploits this shared resource. A process running inside a container. Even a container with a restrictive second profile, readonly file system, and dropped capabilities can use the AFG interface to modify the page cache of root owned binaries on the host system. From inside a container, an attacker can escape to the host. From the host, they can access the container runtime, Kubernetes node credentials, secrets from other pods, and the broader cluster infrastructure. The attack does not just break one container's isolation. It breaks the entire isolation model of the host. The timeline of how this vulnerability moved from discovery to public disclosure is itself instructive. Tying Lee and the Zenode research team reported copy.failed to the Linux kernel security team on March 23rd, 2025. The security team acknowledged the report the following day. By March 25th, 48 hours after initial disclosure, patches had been proposed and were already under active review by colonel maintainers. By April 1st, 2025, those patches had been committed to the mainline Linux kernel.

[00:16:13]9 days from first report to mainline patch for a vulnerability of this severity affecting a code base of 30 million lines of code by the standards of enterprise software. That is a remarkably fast response. The technical fix is conceptually elegant in its simplicity. enforce strict separation between the memory used for cryptographic input and the memory used for cryptographic output so that the colonel's crypto operations can never write back into page cache pages under any circumstances. The optimization from 2017 is reverted. The dangerous code path is closed. The vulnerability is fixed at the kernel level, but a kernel patch merged into mainline Linux is not the same thing as a fixed system. This distinction is critical and consistently underappreciated in the public conversation around vulnerability disclosures. After the mainline patch, distribution maintainers need to backport the fix to their supported kernel versions, build updated packages, run them through their testing pipelines, and push them out to users.

[00:17:07]Enterprise Linux distributions that maintain older kernel branches for stability guarantees, the kind running on the majority of the world's production servers, need to do this for each supported kernel version independently. This takes time and in the gap between mainline patch and distribution patch landing on production systems, every unpatched Linux host remains fully exploitable. More pressingly, copy.fail was disclosed publicly with a working proof of concept exploit. The 7 to 32 byt Python script is documented. The attack path is explained. The vulnerability has its own website. The time between a public disclosure with a working PCA and that exploit appearing in automated attack frameworks is historically measured in hours to days, not weeks. For organizations that cannot immediately patch every system, and in any large enterprise environment, there are always systems that cannot immediately be patched for entirely legitimate reasons involving change control, application compatibility, and maintenance windows.

[00:18:04]The research team provides layered interim mitigations. The most impactful is disabling the AFALG kernel module, which removes the entry point for the exploit without requiring a kernel update. For containerized and multi-tenant environments, implementing SECOMP profiles that block FALG socket creation, is recommended regardless of whether the host kernel has been patched, both as defense and depth and as protection against additional vulnerabilities in the same code path that may not yet have been publicly disclosed. The research team's report on copy.fail fail covers the most critical finding from their analysis of the crypto subsystem. It does not claim to cover all findings. The broader significance of copy.fail extends far beyond the immediate task of patching Linux systems. It is a case study in the fundamental limitations of how large software systems are reviewed for security. The Linux kernel is one of the most carefully maintained, most extensively reviewed, most thoroughly tested code bases in existence. It has a dedicated security response team, a responsible disclosure policy, continuous automated fuzzing, and contributions from thousands of professional developers employed by the largest technology companies in the world. And a critical privilege, escalation vulnerability survived nine years of that scrutiny, not because the process failed, but because the vulnerability was invisible to any process that could only examine one component at a time. The security research community has known for years that emergent vulnerabilities, flaws that live in the interactions between components rather than within any single component are both systematically underexplored and disproportionately dangerous. Copy.ail is the clearest proof yet that this problem is real, consequential, and not going to solve itself without fundamentally different analysis methods. This is where the discovery of copy.fail becomes a signal about the trajectory of security research itself. An AI powered analysis platform found a 9-year-old critical vulnerability in the most audited open- source codebase in the world. That is not a minor data point. That is a proof of concept for an entirely different way of approaching software security at scale. The Linux kernel's 30 million lines of code accumulated across decades of development by thousands of contributors contains interactions between subsystems too numerous and too complex for any human team to fully map through manual analysis. But those interactions are exactly the kind of structured analyzable historically traceable data that machine learning systems can work with at a scale and speed that human researchers simply cannot match. If copyfail had been discovered 10 years ago, it would have been the result of months of painstaking manual code archaeology by an exceptionally skilled human researcher.

[00:20:36]The fact that it was found in 2025 through AI assisted analysis is a signal about what the next decade of vulnerability research is going to look like both for defenders and for the adversaries they are up against. And that is the part of this story that deserves the most careful thought. If an AI assisted security research platform operating with responsible disclosure policies found copy.fail in 2025, the question that follows immediately and uncomfortably is what has a better resourced actor with different incentives already found and chosen not to disclose. Nation state threat actors, the advanced persistent threat groups operated by governments with significant intelligence and offensive cyber budgets have been investing in automated vulnerability research for years. They operate under a fundamentally different set of priorities than responsible disclosure researchers. They are not looking for vulnerabilities to report and patch. They are building stockpiles of capabilities to use quietly against specific targets for as long as the vulnerability remains unknown to defenders. a vulnerability with the profile of copy.fail affecting essentially every Linux system in the world requiring only an unprivileged local account leaving no disc traces working reliably across all distributions and capable of escaping container isolation is precisely the kind of capability a nation state threat actor would want to keep undisclosed and operational for as long as possible. And the deeply uncomfortable reality is that there is no way to know whether someone with those resources and those motivations found this first. The XZ backdoor incident, which became public in 2024, provides a reference point that makes this question feel less theoretical.

[00:22:11]That incident involved a sophisticated patient actor who spent years building a reputation and trust within the open source development community before successfully introducing a deliberately crafted backdoor into the XZ compression library, a component that ships with and is depended upon by an enormous number of Linux systems and applications. The backd dooror was specifically designed to enable remote authentication bypass on systems running a vulnerable version of OpenSSH linked against the compromised library. It was caught almost entirely by accident when an engineer noticed unexpected CPU usage during what should have been a lightweight operation. Had it not been caught when it was, it would have given the attacker silent remote access to an enormous number of systems worldwide.

[00:22:52]Now hold that image alongside copy.fail.

[00:22:55]A remote code execution capability sufficient to gain initial access to a system combined with a local privilege escalation that works on every Linux distribution requires no special conditions leaves no disk traces and can escape container isolation. That is a complete endto-end attack chain from the internet to root access on any Linux system without leaving a forensic trail that standard security tools can detect.

[00:23:17]The combination is not hypothetical.

[00:23:19]Both pieces existed simultaneously.

[00:23:22]Whether anyone combined them before the disclosures is a question that cannot currently be answered. The patch exists.

[00:23:27]The fix is sound. The Linux kernel security ecosystem responded with remarkable speed. The open source model for all the questions this vulnerability raises ultimately delivered what it is designed to deliver. Public disclosure, public review, public fix, that matters.

[00:23:42]But patching copy fail closes one door.

[00:23:46]The AI analysis tools that found it are still running. The crypto subsystem has not been fully cleared. The research that produced this disclosure explicitly described copy to fail as the most critical finding in a larger report. Not the only finding, the most critical one.

[00:24:01]And across the 30 million lines of code in the Linux kernel across decades of accumulated engineering decisions that seemed individually reasonable and may have interacted in ways that nobody has yet analyzed, the question of what else is waiting to be found is one that the security community is now more equipped to ask than at any previous point in its history. Whether the answer arrives through responsible disclosure or through an incident that reveals it in a far less controlled way is the uncertainty that nobody in this field can currently resolve. Copy.fail is found. The next one is not. And that race between the tools that find these things and the actors waiting to use them is the defining security challenge of the infrastructure decade we are living through right