Overview
- Security firm Theori disclosed Copy Fail (CVE-2026-31431) along with a 732-byte Python script that flips four chosen bytes in a cached setuid binary’s memory to hand a root shell to any local user.
- Major Linux distributions began issuing kernel updates that include the upstream fix, which reverts a 2017 in‑place optimization in the crypto path so page‑cache pages no longer land in a writable destination list.
- Admins who cannot patch right away are advised to disable the algif_aead module or block creation of AF_ALG sockets with seccomp, which does not break common uses like SSH, dm-crypt/LUKS, or typical TLS stacks.
- The flaw is not remote by itself but is high risk for multi-tenant systems, container clusters, and CI runners because the page cache is shared across the host and a single compromised user space process can affect others.
- The bug traces to a logic error in the authencesn AEAD template introduced by changes culminating in 2017, carries a CVSS score of 7.8, and was identified by Theori’s Xint Code team using AI-assisted code scanning.