Theori

732 bytes of Python. Root on every major Linux distribution shipped since 2017. Today we disclose CVE-2026-31431 — "Copy Fail" — a logic flaw in the Linux kernel's authencesn cryptographic template. An unprivileged local user can trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system. The same script gets root on: • Ubuntu 24.04 LTS • Amazon Linux 2023 • RHEL 10.1 • SUSE 16 No race conditions. No per-distro offsets. No version checks. 100% success rate. A few things make this one interesting: → It doesn't touch disk. The page cache is corrupted in memory, so on-disk checksums and file integrity tools miss it entirely. A disk image won't show that root was taken. → The page cache is shared across the host, including across container boundaries. One pod can compromise the entire Kubernetes node. (Part 2 of the writeup covers the container escape.) → It's been silently exploitable for ~9 years. The bug sits at the intersection of three changes between 2011 and 2017, each reasonable on its own. Nobody connected the dots. How we found it: Taeyang Lee, a Theori researcher who had previously mapped the AF_ALG attack surface in kernelCTF, suspected that scatterlist page provenance was an underexplored source of bugs. He pointed Xint Code — our autonomous vulnerability analysis platform — at the Linux crypto subsystem with a one-line operator prompt. About an hour later, Copy Fail came back as the highest-severity finding. The same scan surfaced additional high-severity bugs, still in coordinated disclosure. This is the workflow we keep proving out: a researcher (optionally) sets the direction, Xint Code covers the depth and breadth no human team has bandwidth for. Coordinated disclosure with the Linux kernel security team wrapped cleanly — the fix landed in mainline on April 1. If you run Linux infrastructure, please patch. Full root-cause analysis, demo, and exploit: 📄 https://copy.fail 🔗 https://code.xint.io

'Before [Xint security researcher Tim Becker] started working on automatic bug finding with AI, he worked on vulnerability research, finding zero days and reporting them to maintainers. He said it used to take him weeks or months to find a high-impact vulnerability in a brand-new codebase, and now it only takes hours. “I just drop the code into our AI bug-finding tool [Xint] and in a couple hours I get a report with a bunch of candidate vulnerabilities, and most of them end up checking out and being real issues,” he said. “The bar to diving into a new million-line codebase and finding a bug is so much lower than it used to be.”' Great report from The Verge quoting Xint security researcher Tim Becker looking into the new era of cybersecurity, where even non-technical attackers can use AI to find the weaknesses in the apps and networks of organizations faster and at a scale never thought possible before. https://lnkd.in/enwBztJw

Join award-winning security researcher Tyler Nighswander on Techstrong TV for this hands-on workshop for product security practitioners. In this workshop he will: 1) go deep into how AI-native AppSec differs from traditional tools and methods 2) share the pitfalls of poorly harnessed AI bug finding 3) and provide a demonstration of how the scaffolding (and not the model) is what will provide superior results for what product security looks like in the real world https://lnkd.in/dTjnT2ba

Anthropic is (rightfully) generating a lot of attention for Mythos’s ability to find 0days, BUT the hard problem is not whether an LLM can recognize a bug when pointed at it; it is whether a system can find the right code to examine across a 9-million-line codebase, distinguish the one real vulnerability from the hundreds of theoretical weaknesses the model will flag along the way, and deliver output a developer can act on without wasting a week on false positives. This is something Xint has been doing since our wins at AIxCC and #ZeroDayCloud last year. We wanted to see if using publicly available models with the right scaffolding would reach the same performance as the latest limited-release frontier model under **real world conditions** In this research paper not only did we find all the same bugs highlighted in Anthropic’s report, but found an additional 12 mid- to high-severity vulnerabilities not included in their public disclosures. Check out the full report here: https://lnkd.in/gSwsNuJe

What if you could have the expertise of human pentesters at machine speed and scale? Check out the future of AppSec at the Xint booth this week at RSA booth S-2436 https://lnkd.in/gVX63VRT