Linux 'Copy Fail' LPE CVE-2026-31431 Lets Local Users Gain Root

Executive Summary

Researchers at Xint.io and Theori have disclosed a high-severity local privilege escalation (LPE) vulnerability in the Linux kernel, tracked as CVE-2026-31431 (CVSS 7.8) and codenamed Copy Fail. The flaw allows an unprivileged local user to write four controlled bytes into the page cache of any readable file on the system, potentially leading to full root access on all major Linux distributions. No public exploit code has been released as of this writing, but the technical details are sufficient for motivated attackers to develop one.

Technical Analysis

The vulnerability resides in the Linux kernel's page cache subsystem, which handles caching of file contents in memory. According to Xint.io and Theori, the flaw enables an unprivileged attacker to corrupt the page cache of any file they have read access to by writing four controlled bytes. This corruption can be leveraged to escalate privileges to root, though the exact exploitation path depends on the target file and kernel configuration.

The researchers did not disclose the specific kernel function or subsystem responsible for the bug, but the ability to write arbitrary bytes into the page cache of readable files suggests a race condition or improper permission check in the page cache writeback or invalidation path. The CVSS 7.8 score reflects the high impact (complete compromise of confidentiality, integrity, and availability) tempered by the requirement for local access and low attack complexity.

All major Linux distributions — including Red Hat Enterprise Linux, Ubuntu, Debian, SUSE, and Arch Linux — are believed to be affected, as the vulnerability exists in the common kernel codebase. The researchers have coordinated disclosure with the Linux kernel security team, and patches are expected to be rolled out in upcoming kernel updates.

Mitigations & Recommendations

Defenders should prioritize applying kernel updates from their respective Linux distribution vendors as soon as they become available. Until patches are installed, system administrators can reduce exposure by restricting local user access to sensitive files and monitoring for anomalous page cache behavior. Given the requirement for local access, hardening systems against initial compromise — such as enforcing least privilege, disabling unnecessary user accounts, and using mandatory access controls like SELinux or AppArmor — can mitigate the risk. No workaround short of a kernel patch is known at this time.