732 bytes of Python. Root on every major Linux distribution shipped since 2017. Today we disclose CVE-2026-31431 — "Copy Fail" — a logic flaw in the Linux kernel's authencesn cryptographic template. An unprivileged local user can trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system. The same script gets root on: • Ubuntu 24.04 LTS • Amazon Linux 2023 • RHEL 10.1 • SUSE 16 No race conditions. No per-distro offsets. No version checks. 100% success rate. A few things make this one interesting: → It doesn't touch disk. The page cache is corrupted in memory, so on-disk checksums and file integrity tools miss it entirely. A disk image won't show that root was taken. → The page cache is shared across the host, including across container boundaries. One pod can compromise the entire Kubernetes node. (Part 2 of the writeup covers the container escape.) → It's been silently exploitable for ~9 years. The bug sits at the intersection of three changes between 2011 and 2017, each reasonable on its own. Nobody connected the dots. How we found it: Taeyang Lee, a Theori researcher who had previously mapped the AF_ALG attack surface in kernelCTF, suspected that scatterlist page provenance was an underexplored source of bugs. He pointed Xint Code — our autonomous vulnerability analysis platform — at the Linux crypto subsystem with a one-line operator prompt. About an hour later, Copy Fail came back as the highest-severity finding. The same scan surfaced additional high-severity bugs, still in coordinated disclosure. This is the workflow we keep proving out: a researcher (optionally) sets the direction, Xint Code covers the depth and breadth no human team has bandwidth for. Coordinated disclosure with the Linux kernel security team wrapped cleanly — the fix landed in mainline on April 1. If you run Linux infrastructure, please patch. Full root-cause analysis, demo, and exploit: 📄 https://copy.fail 🔗 https://code.xint.io
Hmm, I ran the exploit on some of my machines that run Debian Stable, and it gave me root shell. Doing a apt-get update, didn't show any updates for a new kernel. It appears that Debian Stable is missing the fix! (Or maybe I'm missing something?)
AI security is about to mess with how we think about “shift left.” It’s not just about finding bugs faster. Autonomous analysis makes it cheap to go deep. Most teams are still optimizing for speed, but barely investing in making sure what they ship actually holds up.
Also, you don't need to reboot to get things back to normal. A simple: echo 1 > /proc/sys/vm/drop_caches; will also do.
could have been more responsible in your disclosure. you did s bad thing
First off, excellent research, work, and analysis. Bravo. Second, a one-month timeline is aggressive for coordinated vulnerability disclosure, particularly if you are sharing an exploit PoC. Could you share your thoughts about Theori's approach for publication timelines (30 vs 90 days)?
If this holds up, it’s one of those “quietly catastrophic” classes of bugs — small primitive (4-byte write) → massive impact because of where it lands (page cache + shared kernel state). The scary parts aren’t just the exploit, but the properties: No race conditions → reliable exploitation Cross-distro → systemic, not implementation-specific Page cache → invisible to most traditional forensics Container boundary bypass → breaks a core cloud isolation assumption The bigger takeaway isn’t even the vuln — it’s the discovery model. AI-assisted vuln research shifting from “helper” to “coverage engine” is a real inflection point. Curious - do you think this kind of bug would have realistically been found without AI-driven exploration, or was it just a matter of time?
At least you didn't post this Friday afternoon, thanks.
Tried to port it to NixOS, but couldn't get the exploit to work.
Beside of the impressive bug, There is no such thing as RHEL 14.3.