Security researchers have disclosed Copy Fail, a critical Linux kernel vulnerability that enables a local user to obtain root access on affected systems. And more specifically, an unprivileged local user can write 4 controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root.
The flaw, tracked as CVE-2026-31431, is rated high severity. While it does not permit remote compromise on its own, it becomes critical if an attacker can execute code locally, allowing escalation from limited access to full administrative control.
The vulnerability is particularly concerning for shared Linux servers, hosting platforms, development environments, CI runners, container hosts, and cloud systems that run untrusted or semi-trusted workloads. While the risk is lower for typical desktop users, the vulnerability remains relevant if malware or a compromised process is present locally.
The disclosure includes public proof-of-concept exploit code, increasing urgency for distribution vendors and system administrators. Researchers report that the vulnerability affects many Linux systems and has been confirmed on major distributions, including Ubuntu 24.04 LTS, Amazon Linux 2023, Red Hat Enterprise Linux 10.1, and SUSE Linux Enterprise Server 16.
Copy Fail was publicly disclosed on April 29, 2026. Researchers state that the underlying issue originated from a Linux kernel change in 2017, meaning the vulnerable code path existed for years before discovery and remediation.
The good news is that a fix for the Linux kernel is already available. Users and administrators should apply the latest kernel security updates from their distribution as soon as possible.
Until updates are applied, researchers recommend disabling the affected kernel module as a temporary measure. However, for most users, the best approach is to install vendor kernel updates and reboot into the patched kernel.
