MurmurCast
NewsTechnical

Linux系統核心存在高風險漏洞Copy Fail,本機使用者能藉此奪取root權限,廣泛影響多個主流Linux版本

iThome 新聞

A high-severity Linux kernel vulnerability dubbed 'Copy Fail' (CVE-2026-31431) has been disclosed by security firm Theori, scoring 7.8 on the severity scale. The flaw, existing for 9 years, allows unprivileged local users to gain root privileges via a 4-byte controlled write exploit. It affects all Linux versions released since 2017, with patches available in versions 7.0, 6.19.12, and 6.18.22.

Summary

Security firm Theori has publicly disclosed a critical Linux kernel vulnerability named 'Copy Fail' (CVE-2026-31431), which has existed in the kernel for approximately 9 years and carries a CVSS severity score of 7.8. The vulnerability resides in the Linux kernel's cryptographic template 'authencesn' and enables Local Privilege Escalation (LPE), allowing unprivileged local users to gain root access without requiring race conditions, kernel-specific offsets, network access, kernel debugging features, or pre-installed commands.

The attack mechanism involves triggering a controlled 4-byte data write into the Page Cache of any readable file on the system. A 732-byte Python script can then be used to edit setuid binaries (such as /usr/bin/passwd or /usr/bin/su), ultimately granting root privileges. According to Sysdig's analysis, affected kernel versions span from 4.14 to 7.0-rc and include 6.18.x before 6.18.22 and 6.19.x before 6.19.12, with fixed versions being 7.0, 6.19.12, and 6.18.22.

The discovery was significantly aided by AI tooling. Theori researcher Taeyang Lee initially identified that splice() passes Page Cache to the crypto/ subsystem and that the source of scatterlist pages represented an underinvestigated bug class. Theori then used its AI security tool 'Xint Code' to audit the entire crypto/ subsystem in approximately one hour, identifying Copy Fail as the most severe vulnerability found in the process.

The vulnerability broadly impacts all Linux distributions released since 2017 due to their default inclusion of the Kernel Crypto API (with AF_ALG as the user-space access interface). Theori demonstrated exploitation on Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16. Multiple Linux distributions have issued security advisories, including Amazon Linux, Arch Linux, CloudLinux, Debian, Gentoo, Red Hat Enterprise Linux, SUSE, and Ubuntu. Theori has also published a dedicated website explaining the vulnerability and provided a proof-of-concept to urge rapid remediation.

Key Insights

  • Theori argues that Copy Fail is a logic bug rather than a race condition exploit, making it notably reliable and straightforward to trigger compared to many kernel-level vulnerabilities.
  • The research team claims that a 732-byte Python script is sufficient to exploit the vulnerability and gain root access by modifying setuid binaries, highlighting the low barrier to exploitation.
  • Theori states that AI tool Xint Code enabled full-scale auditing of the entire crypto/ kernel subsystem in approximately one hour, suggesting AI significantly accelerates the scope of security research.
  • The vulnerability has persisted undetected in the Linux kernel for approximately 9 years, which Theori implies reflects the crypto/authencesn subsystem being an underinvestigated bug class.
  • Sysdig's analysis indicates the flaw affects all Linux versions since 2017 due to the universal default inclusion of the Kernel Crypto API with AF_ALG, meaning the attack surface spans virtually the entire modern Linux ecosystem.

Topics

CVE-2026-31431 'Copy Fail' Linux kernel vulnerabilityLocal Privilege Escalation (LPE) via Page Cache writeAI-assisted vulnerability discovery using Xint Code

Full transcript available for MurmurCast members

Sign Up to Access
View original source →

Get AI summaries like this delivered to your inbox daily

Get AI summaries delivered to your inbox

MurmurCast summarizes your YouTube channels, podcasts, and newsletters into one daily email digest.