SUSE and Linux: 9-Year-Old Linux Kernel Vulnerability “Copy Fail” Enables Full Root Access

Linux Kernel Flaw "Copy Fail" Grants Root Access via Memory Manipulation

Security researchers at Theori uncovered a critical vulnerability in the Linux kernel, present since 2017, that allows unprivileged users to gain full system control. Tracked as CVE-2026-31431 (dubbed Copy Fail), the flaw was discovered using Theori’s AI-powered code auditing tool, following an initial lead by researcher Taeyang Lee.

The bug resides in the algif_aead module, part of Linux’s cryptographic subsystem, which handles AEAD (Authenticated Encryption with Associated Data) operations. A miscalculation in the authencesn tool causes it to incorrectly write four bytes of data into the page cache a memory region storing frequently accessed file fragments. Due to a 2017 performance optimization, these bytes can overwrite critical system files in memory, such as /usr/bin/su, without altering the disk-based version.

Attackers can exploit this with a 732-byte Python script, modifying memory-resident files to escalate privileges to root access. The flaw is highly reliable, working consistently across multiple Linux distributions, including Ubuntu 24.04 LTS, Amazon Linux 2023, Red Hat Enterprise Linux 10.1, and SUSE 16. Its in-memory nature leaves minimal forensic traces, evading traditional file integrity checks.

Linux has released a patch (commit a664bf3d603d) that prevents the issue by forcing safe data copying, replacing the vulnerable in-place method. For systems unable to update immediately, disabling the algif_aead module mitigates the risk without disrupting common applications like web browsers or SSH.

Security experts, including David Brumley of Bugcrowd, emphasize the flaw’s severity, noting its broker-market value and cross-distribution reliability. Brumley warned that the shared page cache in containerized environments could allow a single compromised tenant to affect the entire host, underscoring the need for urgent patching. The discovery also signals a shift in exploit discovery, as AI-driven tools lower the cost of uncovering deep logic flaws in critical systems.

Source: https://hackread.com/linux-kernel-vulnerability-copy-fail-full-root-access/

The Linux Foundation cybersecurity rating report: https://www.rankiteo.com/company/the-linux-foundation

SUSE cybersecurity rating report: https://www.rankiteo.com/company/suse

"id": "THESUS1777537860",
"linkid": "the-linux-foundation, suse",
"type": "Vulnerability",
"date": "1/2017",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'customers_affected': 'Users of Ubuntu 24.04 LTS, '
                                              'Amazon Linux 2023, Red Hat '
                                              'Enterprise Linux 10.1, SUSE 16, '
                                              'and other Linux distributions',
                        'industry': 'Technology/Software',
                        'location': 'Global',
                        'name': 'Linux Kernel',
                        'type': 'Operating System'}],
 'attack_vector': 'Local',
 'description': 'Security researchers at Theori uncovered a critical '
                'vulnerability in the Linux kernel, present since 2017, that '
                'allows unprivileged users to gain full system control. The '
                "flaw, tracked as CVE-2026-31431 (dubbed 'Copy Fail'), resides "
                'in the algif_aead module and enables attackers to overwrite '
                'critical system files in memory, escalating privileges to '
                'root access with a 732-byte Python script. The vulnerability '
                'is highly reliable across multiple Linux distributions and '
                'leaves minimal forensic traces.',
 'impact': {'operational_impact': 'Full system control (root access) by '
                                  'unprivileged users',
            'systems_affected': 'Linux systems (Ubuntu 24.04 LTS, Amazon Linux '
                                '2023, Red Hat Enterprise Linux 10.1, SUSE '
                                '16)'},
 'lessons_learned': 'AI-driven tools can lower the cost of uncovering deep '
                    'logic flaws in critical systems. The shared page cache in '
                    'containerized environments can allow a single compromised '
                    'tenant to affect the entire host.',
 'post_incident_analysis': {'corrective_actions': 'Patch to force safe data '
                                                  'copying and disable '
                                                  'vulnerable module if '
                                                  'patching is not immediately '
                                                  'possible.',
                            'root_causes': 'Miscalculation in the authencesn '
                                           'tool causing incorrect memory '
                                           'writes due to a 2017 performance '
                                           'optimization in the algif_aead '
                                           'module.'},
 'recommendations': 'Urgent patching of the Linux kernel (commit a664bf3d603d) '
                    'or disabling the algif_aead module for systems unable to '
                    'update immediately.',
 'references': [{'source': 'Theori'}, {'source': 'David Brumley (Bugcrowd)'}],
 'response': {'containment_measures': 'Disabling the algif_aead module',
              'remediation_measures': 'Linux kernel patch (commit '
                                      'a664bf3d603d) to force safe data '
                                      'copying'},
 'title': "Linux Kernel Flaw 'Copy Fail' Grants Root Access via Memory "
          'Manipulation',
 'type': 'Privilege Escalation',
 'vulnerability_exploited': 'CVE-2026-31431 (Copy Fail)'}