Publicly released exploits An unpatched vulnerability that gives root access to nearly every Linux release is setting off alarms as defenders try to prevent serious compromises inside data centers and personal devices.
The vulnerability and the exploit code it uses were released Wednesday evening by researchers from security firm Theori, five weeks after they privately disclosed it to the Linux kernel security team. The team released the vulnerability in versions 7.0, 6.19.12, 6.18.12, 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254) but few Linux distributions had that fix installed at the time of release.
One Hack Script for all
The critical flaw, tracked as CVE-2026-31431 and named CopyFail, is elevation of privilege, a class of vulnerability that allows unprivileged users to elevate themselves to administrators. CopyFail is particularly difficult because it can be used with a single piece of exploit code—released in Wednesday’s disclosure—that works across all vulnerable distributions without modification. With that, an attacker can, among other things, hack into multi-tenant systems, break out of Kubernetes-based containers or other frameworks, and create malicious pull requests that inject exploit code into CI/CD workflows.
“‘Increasing property rights’ sounds dry, so let me cut you loose,” wrote researcher Jorijn Schrijvershof on Thursday. “It means: An attacker who already has some way of running code on a machine, even as the most boring unprivileged user, can develop it. From there they can read all the files, install backdoors, watch the whole process, and rotate to other systems.”
Schrijvershof added that the same Python script Theori released works reliably on Ubuntu 22.04, Amazon Linux 2023, SUSE 15.6, and Debian 12. The researcher continued:
Why is that important for shared infrastructure? Because “local” covers many areas in 2026: every container in a shared Kubernetes environment, every tenant in a shared hosting box, every CI/CD job with untrusted pull request code, every WSL2 instance on a Windows laptop, every AI agent whose container is granted shell access. They all share the same Linux kernel with their neighbors. The kernel LPE wraps that border.
The actual threat chain looks like this. An attacker takes advantage of a WordPress plugin vulnerability and gains shell access as www-data. They use copy.fail PoC. They are now root on the host. All other tenants are suddenly accessible, the way I can get through this corpse hack. Being vulnerable does not make the attacker into a box; it changes what happens in the next ten seconds after they get there.
The vulnerability stems from the “straight line” mindset in the crypto kernel API. Many exploits exploiting race conditions and memory corruption errors do not succeed consistently across kernel versions or distributions, and sometimes even on the same machine. Because the code released for CopyFail uses a logic error, “reliability is not possible, and the same script runs on all distributions, researchers from Bugcrowd wrote. “No race window, no kernel offset.”
CopyFail gets its name because the AEAD template process for authencesn (used for extended IPsec sequence numbers) does not actually copy data when it should. Instead, it “uses the caller’s buffer as a scratch pad, writes 4 bytes through the formal output, and never returns them,” Theori said. A ‘copy’ of AAD ESN bytes ‘fails’ to reside within the destination.”
The Worst Linux Vulnerability in Years
Some security experts have expressed the opinion that CopyFail poses a significant risk, with one saying it is “the worst root-me-in kernel vulnerability in recent times.”
The most recent Linux vulnerabilities were Dirty Pipe from 2022 and Dirty Cow in 2016. Both of those vulnerabilities were widely exploited in the wild.
