Linux cryptographic code flaw offers fast route to root
Patches land for authencesn flaw enabling local privilege escalation
https://hackread.com/linux-kernel-vulnerability-copy-fail-full-root-access/
Developers of major Linux distributions have begun shipping patches to address a local privilege escalation (LPE) vulnerability arising from a logic flaw.
The newly disclosed LPE, dubbed Copy Fail (CVE-2026-31431), comes from a vulnerability in the Linux kernel's authencesn cryptographic template.
"An unprivileged local user can write four controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root," the writeup from security biz Theori explains.
The kernel reads the page cache when it loads a binary, so modifying the cached copy amounts to altering the binary for the purpose of program execution. But doing so doesn't trigger any defenses focused on file system events like inotify.
The proof of concept exploit is a 10-line, 732-byte Python script capable of editing a setuid binary to gain root on almost all Linux distributions released since 2017.
Copy Fail is similar to other LPE bugs such as Dirty Cow and Dirty Pipe, but its finders claim it doesn't require winning a race condition and it's more broadly applicable.
It's not remotely exploitable on its own – hence LPE – but if chained with a web RCE, malicious CI runner, or SSH compromise, it could be relevant to an external attacker. The bug is of most immediate concern to those using multi-tenant Linux systems, shared-kernel containers, or CI runners that execute untrusted code.
According to Theori, the vulnerability also represents a potential container escape primitive that could affect Kubernetes nodes, because the page cache is shared across the host.
Linux distros Debian, Ubuntu, and SUSE have issued patches for the problem, as have overseers of other distros.
Red Hat initially said it was going to defer the fix but later changed its
guidance to indicate it will go along with other distros and patch promptly.
The CVE has been rated High severity, 7.8 out of 10.
Theori researcher Taeyang Lee identified the vulnerability, with the help of the company's AI security scanning software, Xint Code.
The number of bug reports has surged in recent months, helped by AI-powered flaw-finders. Microsoft just reported the second largest number of patches ever.
Dustin Childs, head of threat awareness for Trend Micro's Zero Day Initiative, expects this is due to security teams using AI to hunt bugs. "There are many things we could speculate on to justify the size, but if Microsoft is like the other programs out there (including ours), they are likely seeing a rise in submissions found by AI tools," he wrote earlier this month.
AI-assisted vulnerability research recently prompted the Internet Bug Bounty (IBB) program to suspend awards until it can understand how to manage the growing volume of reports.
(Score: 0) by Anonymous Coward on Saturday May 02, @04:11PM
I didn't build the ipsec modules for my distro, I use wireguard, you insensitive clod!
(Score: 4, Informative) by RS3 on Saturday May 02, @04:47PM (2 children)
Why do so many similar CVEs and articles contain so many words, so little useful information? From a web search, from UC Berkeley:
(Score: 5, Funny) by GloomMower on Saturday May 02, @05:21PM
Maybe similar reason recipes have like the life story of a person's love of tomatoes. SEO
(Score: 1, Touché) by Anonymous Coward on Saturday May 02, @11:21PM
The original report of this vuln was LLM slop.
(Score: 4, Informative) by MonkeypoxBugChaser on Saturday May 02, @10:09PM (4 children)
You don't have to change your kernel but it would be wise to blacklist the module. Nothing really uses it.
(Score: 2) by Bentonite on Sunday May 03, @11:28AM (3 children)
I never had such bloat compiled in.
(Score: 0) by Anonymous Coward on Sunday May 03, @11:07PM (2 children)
With the amount of kernel updates it's getting hard to compile your own. Let alone for several machines. The electricity you waste doing it is also a factor. Desktop linux is what it is.
(Score: 0) by Anonymous Coward on Monday May 04, @09:43AM (1 child)
It used to take half an hour to compile the kernel on a top of the line machine, now it takes about a minute. It's increasingly cumbersome to start from a blank config and answer every configuration question but once you have a config you like you only have to answer a couple of questions to update to a new version. What has changed is that with a couple of exceptions like Gentoo, Slackware and Cachy, most distributions strongly discourage you from doing it, and their users are happy to go along.
(Score: 2) by suxen on Monday May 04, @06:59PM
Try even getting a usable C build environment on Debian or Ubuntu. Even basic desktop applications are inordinately difficult to compile, and every app presents new challenges to the point that you just stop trying and only use whatever slop the distros are willing to serve up. Soup is good food and all that. Same things are trivial to achieve on systems like Slackware or FreeBSD
(Score: 0) by Anonymous Coward on Monday May 04, @09:50AM
Claude Mythos was supposed to be so dangerous that it can't be released publicly because it can find security exploits in anything. This? Found by an ordinary meatbag, who used AI (and not even Claude) to help develop the exploit but not to notice that the kernel could be tricked into writing to read-only pages. That was all human brain.
I guess the Linux kernel is just a niche piece of software that nobody bothered to use Mythos on