Critical Linux Exploit 'CopyFail' Gives Hackers Root Access

Critical Linux Exploit ‘CopyFail’ Gives Hackers Root Access

A newly discovered Linux exploit called ‘CopyFail’ allows hackers to gain root access to countless computers. The vulnerability, tracked as CVE-2026-31431, has been patched but many machines remain at risk.

The exploit, which was publicly disclosed on Wednesday, uses a Python script that works across all vulnerable Linux distributions, requiring ‘no per-distro offsets, no version checks, no recompilation.’ This makes it a particularly severe threat, as it can be used to hack multi-tenant systems, break out of containers based on Kubernetes or other frameworks, and create malicious pull requests that pipe the exploit code through CI/CD workflows.

What’s at Stake

The stakes are high, as an attacker who already has some way to run code on a machine, even as an unprivileged user, can use the CopyFail exploit to promote themselves to root. From there, they can read every file, install backdoors, watch every process, and pivot to other systems. The exploit stems from a ‘straight-line’ logic flaw in the kernel’s crypto API.

A History of Linux Exploits

This is not the first time Linux has been vulnerable to exploits. In 2021, a 12-year-old vulnerability in a system tool called Polkit was discovered, giving attackers unfettered root privileges on machines running most major distributions of the open source operating system. The vulnerability, known as PwnKit, was discovered by researchers from security firm Qualys and was patched in most Linux distributions.

Technical Mechanics

The CopyFail exploit works by using a Python script that takes advantage of a logic flaw in the kernel’s crypto API. The flaw, which was introduced in 2017, allows an attacker to gain root access to a system. The exploit is particularly severe because it can be used across all vulnerable Linux distributions, making it a major threat to Linux users.

Industry Context

The Linux kernel is a critical component of the Linux operating system, and vulnerabilities in the kernel can have far-reaching consequences. The Linux kernel is used in a wide range of devices, from servers and data centers to personal devices and IoT devices. The widespread use of Linux means that a vulnerability in the kernel can have a significant impact on the security of many devices. For example, the Linux kernel is used in over 90% of the world’s supercomputers, and many cloud providers rely on Linux to run their infrastructure.

Downstream Implications

Linux users should check if their distributions have incorporated the patches for the CopyFail vulnerability. The Linux kernel security team patched the vulnerability in versions 7.0, 6.19.12, 6.18.12, 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254. However, many machines remain at risk, and it is likely only a matter of time before the exploit is used in the wild. Users should also be cautious when running untrusted code, as an attacker who already has some way to run code on a machine can use the CopyFail exploit to gain root access.

What to Watch

In addition to checking for patches, Linux users should also be aware of the potential for the CopyFail exploit to be used in conjunction with other vulnerabilities. The exploit can be used to gain root access to a system, and from there, an attacker can use other vulnerabilities to move laterally within a network. Users should be cautious when running untrusted code and should consider implementing additional security measures, such as intrusion detection systems and firewalls.

Conclusion

The CopyFail exploit is a severe threat to Linux users, and it is likely only a matter of time before it is used in the wild. Users should check if their distributions have incorporated the patches for the vulnerability and should be cautious when running untrusted code. The Linux kernel security team has patched the vulnerability, but many machines remain at risk.

Future Implications

The discovery of the CopyFail exploit highlights the importance of continued vigilance and investment in Linux security. As the Linux kernel continues to evolve and grow, it is essential that security researchers and developers work together to identify and patch vulnerabilities. This includes improving the security of the kernel’s crypto API, as well as enhancing the testing and validation processes for Linux distributions.

Recommendations

To mitigate the risk of the CopyFail exploit, Linux users should:

• Check if their distributions have incorporated the patches for the vulnerability
• Be cautious when running untrusted code
• Implement additional security measures, such as intrusion detection systems and firewalls
• Consider using alternative Linux distributions that have already patched the vulnerability

By taking these steps, Linux users can help protect themselves against the CopyFail exploit and other potential security threats.

Updates

• 2026-05-14 — Sketchy report says ‘possibility’ of screen distortion in the iPhone 20 (source)