Security researchers have disclosed Copy Fail, a critical Linux kernel vulnerability that enables a local user to obtain root access on affected systems. And more specifically, an unprivileged local user can write 4 controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root.
The flaw, tracked as CVE-2026-31431, is rated high severity. While it does not permit remote compromise on its own, it becomes critical if an attacker can execute code locally, allowing escalation from limited access to full administrative control.
The vulnerability is particularly concerning for shared Linux servers, hosting platforms, development environments, CI runners, container hosts, and cloud systems that run untrusted or semi-trusted workloads. While the risk is lower for typical desktop users, the vulnerability remains relevant if malware or a compromised process is present locally.
The disclosure includes public proof-of-concept exploit code, increasing urgency for distribution vendors and system administrators. Researchers report that the vulnerability affects many Linux systems and has been confirmed on major distributions, including Ubuntu 24.04 LTS, Amazon Linux 2023, Red Hat Enterprise Linux 10.1, and SUSE Linux Enterprise Server 16.
Copy Fail was publicly disclosed on April 29, 2026. Researchers state that the underlying issue originated from a Linux kernel change in 2017, meaning the vulnerable code path existed for years before discovery and remediation.
The good news is that a fix for the Linux kernel is already available. Users and administrators should apply the latest kernel security updates from their distribution as soon as possible.
Until updates are applied, researchers recommend disabling the affected kernel module as a temporary measure. However, for most users, the best approach is to install vendor kernel updates and reboot into the patched kernel.
Why was this moved off of the front page? Surely it’s more important than KDE telemetry/feedback which has been there forever.
@ yawn,
“just update and the problem will go away.”
Is that a yes or a no? Couldn’t this include JavaScript?
The Copy Fail vulnerability in the Linux kernel allows local users to gain root access on major distributions, but it does not specifically target Java. The flaw exploits a logic bug in the Linux kernel’s cryptographic subsystem, which is unrelated to Java.
with millions of lines of code we will always find stuff like this.
“While it does not permit remote compromise on its own, it becomes critical if an attacker can execute code locally, allowing escalation from limited access to full administrative control.”
Couldn’t this include JavaScript?
just update and the problem will go away.