Copy Fail CVE-2026-31431: 732-byte Linux privilege escalation
Original: Copy Fail
Why This Matters
Demonstrates critical infrastructure vulnerability affecting nearly all Linux systems
Copy Fail (CVE-2026-31431) is a 732-byte Python exploit that achieves 100% reliable privilege escalation on all mainstream Linux distributions since 2017. The bug chains through authencesn, AF_ALG, and splice() for page cache writes.
Copy Fail exploits a logic flaw in the Linux kernel's authencesn component, chaining through AF_ALG and splice() to perform unauthorized page cache writes. The 732-byte Python script works identically across all major distributions including Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16. Unlike typical Linux privilege escalation exploits that require race conditions or kernel-specific offsets, Copy Fail uses straight-line logic requiring only an unprivileged user account. High-risk scenarios include multi-tenant hosts, Kubernetes clusters, CI runners, and cloud SaaS platforms where the exploit enables cross-tenant compromise. The vulnerability affects kernels built between 2017 and recent patches, with the kernel crypto API (AF_ALG) enabled by default in mainstream distributions.