A vulnerability that survived nine years
The Xint Code Research Team, building on an initial contribution by Taeyang Lee, publishes the details of CVE-2026-31431, nicknamed “Copy Fail”: a 4-byte out-of-bounds write in the Linux kernel that runs from 2017 to 2026 — nine years of stable and LTS releases — and lets an unprivileged user escalate to root with a 732-byte exploit. Declared severity: critical.
The vector: AF_ALG, splice() and authencesn
The flaw lives at the intersection of three kernel mechanisms: AF_ALG, the user-space interface to the crypto primitives; the splice() system call, which moves data between file descriptors without copying through user-space; and the authencesn algorithm (Authenticated Encryption with Associated Data + Extended Sequence Number). During decryption, authencesn reuses the destination buffer as a temporary area and ends up writing four bytes past its bounds. Those bytes do not land in arbitrary volatile memory: they fall into the page cache, the pages where the kernel keeps the contents of open files.
From four bytes to /usr/bin/su
The practical effect is that a local attacker can perform a controlled modification of the cached contents of a privileged file. The proof-of-concept on the theori-io/copy-fail-CVE-2026-31431 repository — a 732-byte Python script — picks /usr/bin/su as its target: the page-cache tampering turns the next invocation of su into a privileged shell. No race condition, no brute force, no special hardware requirements.
Distributions and patch
The original Xint write-up lists as vulnerable “without adaptations” the mainstream Ubuntu, Amazon Linux, RHEL and SUSE. The upstream patch removes the 2017 optimisation and separates the input and output structures, restoring the invariant that authencesn was breaking. Distributions started publishing updated kernel packages within hours of disclosure.
What this means in practice
Copy Fail is the classic pedigreed vulnerability: a well-meant micro-optimisation in a specialist subsystem, sitting in circulation for nearly a decade before meeting a team that looks at it with the right eyes. For teams running Linux fleets, the operational answer is ordinary — apply updated packages, schedule reboots, audit local privileges; the lesson is that the background noise of in-kernel cryptography deserves the same scrutiny as the louder vectors (network, filesystem, popular syscalls).
Link: copy.fail · PoC exploit on GitHub · Xint Code blog