Full Report
The exploit, dubbed CopyFail and tracked as CVE-2026-31431, allows hackers to take over PCs and data center servers. The Linux vulnerabilities have been patched—but many machines remain at risk.
Analysis Summary
# Vulnerability: CopyFail Local Privilege Escalation
## CVE Details
- **CVE ID:** CVE-2026-31431
- **CVSS Score:** Critical (Exact score not specified, but characterized as "the worst Linux vulnerability in years")
- **CWE:** CWE-681 (Incorrect Conversion between Numeric Types) / CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) — specifically a "straight-line" logic flaw.
## Affected Systems
- **Products:** Linux Kernel; affects virtually all major distributions including Ubuntu 22.04, Amazon Linux 2023, SUSE 15.6, Debian 12, and Windows Subsystem for Linux (WSL2).
- **Versions:** Virtually all releases of Linux prior to the patched versions.
- **Configurations:** Multi-tenant systems, Kubernetes/container environments, CI/CD workflows, and hosted servers.
## Vulnerability Description
Dubbed **CopyFail**, this flaw resides in the Linux kernel’s crypto API, specifically within the `authencesn` AEAD (Authenticated Encryption with Associated Data) template used for IPsec extended sequence numbers.
The vulnerability is a logic flaw: when processing, the kernel fails to properly copy data to the intended destination buffer. Instead, it uses the caller's destination buffer as a "scratch pad," resulting in an out-of-bounds write of 4 bytes beyond the legitimate output region. Because this is a logic error rather than a race condition or complex memory corruption, it is highly stable and predictable across different architectures and distributions.
## Exploitation
- **Status:** PoC available (released by Theori); high risk of exploitation in the wild.
- **Complexity:** Low (Reliability is not probabilistic; the same script works across distributions without modification).
- **Attack Vector:** Local (Requires initial access as an unprivileged user).
## Impact
- **Confidentiality:** High (Full access to all files and system data).
- **Integrity:** High (Ability to install backdoors and modify system files).
- **Availability:** High (Full control over system processes and the ability to pivot to other systems/containers).
## Remediation
### Patches
The Linux kernel security team has released patches in the following versions:
- Linux 7.0
- Linux 6.19.12
- Linux 6.18.12
- Linux 6.12.85
- Linux 6.6.137
- Linux 6.1.170
- Linux 5.15.204
- Linux 5.10.254
### Workarounds
No specific configuration workarounds are mentioned; immediate kernel updates are the recommended course of action. Administrators should prioritize patching shared infrastructure (Kubernetes nodes, shared hosting).
## Detection
- **Indicators of Compromise:** Unusual elevation of privileges by unprivileged service accounts (e.g., `www-data`).
- **Detection methods and tools:** Monitoring for unauthorized `root` terminal sessions and auditing kernel crypto API calls if high-level logging is enabled. Security teams should scan environments for the presence of the `copy.fail` PoC script.
## References
- **Theori Research:** hxxps://copy[.]fail/
- **Kernel Mitigations:** hxxps://github[.]com/torvalds/linux/commit/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5
- **Stable Kernel Updates:** hxxps://git[.]kernel[.]org/stable/c/ce42ee423e58dffa5ec03524054c9d8bfd4f6237
- **Security Researcher Blog:** hxxps://jorijn[.]com/en/blog/copy-fail-cve-2026-31431-linux-kernel-bug-explained/