MurmurCast
NewsTechnical

Linux系統核心存在高風險漏洞Copy Fail,本機使用者能藉此奪取root權限,廣泛影響多個主流Linux版本

iThome 新聞

A high-severity Linux kernel vulnerability dubbed 'Copy Fail' (CVE-2026-31431) has been disclosed by security firm Theori, scoring 7.8 on the severity scale. The flaw, existing for 9 years, allows unprivileged local users to gain root privileges via a 4-byte controlled write exploit. It affects all Linux versions released since 2017, with patches available in versions 7.0, 6.19.12, and 6.18.22.

Summary

Security firm Theori has publicly disclosed a critical Linux kernel vulnerability named 'Copy Fail' (CVE-2026-31431), which has existed in the kernel for approximately 9 years and carries a CVSS severity score of 7.8. The vulnerability resides in the Linux kernel's cryptographic template 'authencesn' and enables Local Privilege Escalation (LPE), allowing unprivileged local users to gain root access without requiring race conditions, kernel-specific offsets, network access, kernel debugging features, or pre-installed commands.

The attack mechanism involves triggering a controlled 4-byte data write into the Page Cache of any readable file on the system. A 732-byte Python script can then be used to edit setuid binaries (such as /usr/bin/passwd or /usr/bin/su), ultimately granting root privileges. According to Sysdig's analysis, affected kernel versions span from 4.14 to 7.0-rc and include 6.18.x before 6.18.22 and 6.19.x before 6.19.12, with fixed versions being 7.0, 6.19.12, and 6.18.22.

The discovery was significantly aided by AI tooling. Theori researcher Taeyang Lee initially identified that splice() passes Page Cache to the crypto/ subsystem and that the source of scatterlist pages represented an underinvestigated bug class. Theori then used its AI security tool 'Xint Code' to audit the entire crypto/ subsystem in approximately one hour, identifying Copy Fail as the most severe vulnerability found in the process.

The vulnerability broadly impacts all Linux distributions released since 2017 due to their default inclusion of the Kernel Crypto API (with AF_ALG as the user-space access interface). Theori demonstrated exploitation on Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16. Multiple Linux distributions have issued security advisories, including Amazon Linux, Arch Linux, CloudLinux, Debian, Gentoo, Red Hat Enterprise Linux, SUSE, and Ubuntu. Theori has also published a dedicated website explaining the vulnerability and provided a proof-of-concept to urge rapid remediation.

About this episode

前幾天,有個存在Linux系統核心長達9年的高風險漏洞CVE-2026-31431被揭露,由資安廠商Theori公開這個嚴重性評分為7.8分弱點,將其命名為Copy Fail,並特別設立專屬網站說明問題的成因與影響範圍,同時提供概念驗證程式,促使大家盡快因應迫切的危機。

Key Insights

  • Theori argues that Copy Fail is a logic bug rather than a race condition exploit, making it notably reliable and straightforward to trigger compared to many kernel-level vulnerabilities.
  • The research team claims that a 732-byte Python script is sufficient to exploit the vulnerability and gain root access by modifying setuid binaries, highlighting the low barrier to exploitation.
  • Theori states that AI tool Xint Code enabled full-scale auditing of the entire crypto/ kernel subsystem in approximately one hour, suggesting AI significantly accelerates the scope of security research.
  • The vulnerability has persisted undetected in the Linux kernel for approximately 9 years, which Theori implies reflects the crypto/authencesn subsystem being an underinvestigated bug class.
  • Sysdig's analysis indicates the flaw affects all Linux versions since 2017 due to the universal default inclusion of the Kernel Crypto API with AF_ALG, meaning the attack surface spans virtually the entire modern Linux ecosystem.

Topics

CVE-2026-31431 'Copy Fail' Linux kernel vulnerabilityLocal Privilege Escalation (LPE) via Page Cache writeAI-assisted vulnerability discovery using Xint Code

Transcript

前幾天,有個存在Linux系統核心長達9年的高風險漏洞 CVE-2026-31431 被揭露,由資安廠商Theori公開這個嚴重性評分為7.8分弱點,將其命名為Copy Fail,並特別設立 專屬網站 說明問題的成因與影響範圍,同時提供概念驗證程式,促使大家盡快因應迫切的危機。根據資安廠商Sysdig的整理,以系統核心而言,受此漏洞影響的版本,包含:4.14 到7.0-rc版、6.18.22之前的6.18.x版、6.19.12之前的6.19.x版,換言之,已修補的版本為7.0版、6.19.12版、6.18.22版。 Theori表示,Copy Fail是個邏輯臭蟲,存在Linux系統核心的密碼學範本authencesn,不需觸發競態條件的時間空檔(race window)或系統核心層面的偏移(kernel-specific offset),也不需網路存取、系統核心除錯功能、預先安裝指令,即可在Linux系統達到本機存取權限提升(Local Privilege Escalation,LPE)的目的——允許未取得權限的本機使用者,觸發長度為4個位元組的受控資料寫入動作,寫入的目標是系統中任何可讀取檔案的分頁快取(Page Cache),而且,透過一段長度為732個位元組的Python指令碼,可針對套用 setuid權限位元的二進位執行檔(setuid binary,例如/usr/bin/passwd或/usr/bin/su)進行編輯,藉此在Linux系統獲得root權限。 值得注意的是,上述發現得力於AI輔助。來源是Theori的研究員Taeyang Lee的一項研究,當中發現splice() 將分頁快取傳遞給crypto/子系統,以及scatterlist分頁的來源可能是一個未深入調查的程式臭蟲類別,後續Theori採用自家的AI資安工具Xint Code,大約在1個小時內完成稽核整個crypto/ 子系統的規模擴展,結果顯示Copy Fail是處理過程發現的最嚴重漏洞。 基本上,這個問題影響的範圍非常廣泛,涵蓋2017年以後發行的所有Linux版本,因為都預設搭配Kernel Crypto API(使用者空間的存取介面為AF_ALG),目前Theori展示可濫用Copy Fail漏洞的四個版本:Ubuntu 24.04 LTS、Amazon Linux 2023、RHEL 10.1、SUSE 16。 除此之外,多個Linux版本均已發布相關資安公告,包括: Amazon Linux 、 Arch Linux 、 CloudLinux 、 Debian 、 Gentoo 、 Red Hat Enterprise Linux 、 SUSE 、 Ubuntu 。

Full transcript available for MurmurCast members

Sign Up to Access
View original source →

More from iThome 新聞

Get AI summaries like this delivered to your inbox daily

Get AI summaries delivered to your inbox

MurmurCast summarizes your YouTube channels, podcasts, and newsletters into one daily email digest.