The Copy.Fail vulnerability (CVE-2026-31431) represents a critical local privilege escalation (LPE) in the Linux kernel. Disclosed by Theori, the exploit abuses the kernel crypto API (AF_ALG) and the splice() system call to write data directly into the page cache of sensitive files. Because the exploit targets memory rather than the physical disk, it bypasses traditional integrity monitoring tools like AIDE and Tripwire, allowing unprivileged users to gain root access without leaving a permanent disk footprint.
This flaw is particularly dangerous for multi-tenant environments, including Kubernetes clusters and shared CI/CD runners, as it effectively collapses container boundaries. It impacts nearly all major distributions, including Ubuntu, RHEL, and Amazon Linux, without requiring complex race conditions or per-distribution offsets. To defend against Copy.Fail, administrators must apply the latest kernel patches or implement custom seccomp profiles, as default container security standards do not currently block the specific syscalls used.
Top comments (0)