{"id":463613,"date":"2026-05-01T18:01:15","date_gmt":"2026-05-01T18:01:15","guid":{"rendered":"https:\/\/www.europesays.com\/ie\/463613\/"},"modified":"2026-05-01T18:01:15","modified_gmt":"2026-05-01T18:01:15","slug":"severe-linux-copy-fail-security-flaw-uncovered-using-ai-scanning-help","status":"publish","type":"post","link":"https:\/\/www.europesays.com\/ie\/463613\/","title":{"rendered":"Severe Linux Copy Fail security flaw uncovered using AI scanning help"},"content":{"rendered":"<p class=\"duet--article--dangerously-set-cms-markup duet--article--standard-paragraph _1ymtmqpi _17nnmdy1 _17nnmdy0 _1xwtict1\">Nearly every Linux distribution released since 2017 is currently vulnerable to a security bug called \u201cCopy Fail\u201d that allows any user to give themselves administrator privileges. The exploit, <a href=\"https:\/\/copy.fail\/\" rel=\"nofollow noopener\" target=\"_blank\">publicly disclosed<\/a> as CVE-2026-31431 on Wednesday, uses a Python script that works across all of the vulnerable Linux distributions, requiring \u201cno per-distro offsets, no version checks, no recompilation,\u201d according to Theori, the security firm that uncovered it.<\/p>\n<p class=\"duet--article--dangerously-set-cms-markup duet--article--standard-paragraph _1ymtmqpi _17nnmdy1 _17nnmdy0 _1xwtict1\"><a href=\"https:\/\/arstechnica.com\/security\/2026\/04\/as-the-most-severe-linux-threat-in-years-surfaces-the-world-scrambles\/\" rel=\"nofollow noopener\" target=\"_blank\">Ars Technica<\/a> points out this blog post where DevOps engineer Jorijn Schrijvershof <a href=\"https:\/\/jorijn.com\/en\/blog\/copy-fail-cve-2026-31431-linux-kernel-bug-explained\/\" rel=\"nofollow noopener\" target=\"_blank\">explains<\/a> that what makes Copy Fail \u201cunusually nasty\u201d is the likelihood for it to go unnoticed by monitoring tools: \u201cPage-cache corruption never marks the page dirty. The kernel\u2019s writeback machinery never flushes the modified bytes back to disk.\u201d As a result, \u201cAIDE, Tripwire, OSSEC and any monitoring tool that compares on-disk checksums see nothing.\u201d<\/p>\n<p class=\"duet--article--dangerously-set-cms-markup duet--article--standard-paragraph _1ymtmqpi _17nnmdy1 _17nnmdy0 _1xwtict1\">Copy Fail was identified by Theori\u2019s researchers with assistance from their Xint Code AI tool. According <a href=\"https:\/\/xint.io\/blog\/copy-fail-linux-distributions\" rel=\"nofollow noopener\" target=\"_blank\">to a blog post<\/a>, Taeyang Lee had an idea of looking into the crypto subsystem of Linux and created this prompt to run an automated scan that identified several vulnerabilities in \u201cabout an hour.\u201d<\/p>\n<blockquote class=\"duet--article--blockquote ewrhy30 _1xwtict9\">\n<p class=\"duet--article--dangerously-set-cms-markup ewrhy38 _1xwtict1\">\u201cThis is the linux crypto\/ subsystem. Please examine all codepaths reachable from userspace syscalls. Note one key observation: splice() can deliver page-cache references of read-only files (including setuid binaries) to crypto TX scatterlists.\u201d<\/p>\n<\/blockquote>\n<p class=\"duet--article--dangerously-set-cms-markup duet--article--standard-paragraph _1ymtmqpi _17nnmdy1 _17nnmdy0 _1xwtict1\">According to the exploit\u2019s disclosure page, a patch for Copy Fail was added to the mainline Linux kernel on April 1st. However, as <a href=\"https:\/\/arstechnica.com\/security\/2026\/04\/as-the-most-severe-linux-threat-in-years-surfaces-the-world-scrambles\/\" rel=\"nofollow noopener\" target=\"_blank\">Ars Technica<\/a> notes, the researchers who identified Copy Fail published the details of the exploit publicly before all of the affected distributions could release patches for it. Some distros, including <a href=\"https:\/\/security.archlinux.org\/CVE-2026-31431\" rel=\"nofollow noopener\" target=\"_blank\">Arch Linux<\/a>, <a href=\"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2460538\" rel=\"nofollow noopener\" target=\"_blank\">RedHat Fedora<\/a>, and <a href=\"https:\/\/explore.alas.aws.amazon.com\/CVE-2026-31431.html\" rel=\"nofollow noopener\" target=\"_blank\">Amazon Linux<\/a>, have released patches, but many others were not immediately able to address the issue.<\/p>\n","protected":false},"excerpt":{"rendered":"Nearly every Linux distribution released since 2017 is currently vulnerable to a security bug called \u201cCopy Fail\u201d that&hellip;\n","protected":false},"author":2,"featured_media":463614,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[74],"tags":[18,19,17,25688,5,983,753,82],"class_list":{"0":"post-463613","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technology","8":"tag-eire","9":"tag-ie","10":"tag-ireland","11":"tag-linux","12":"tag-news","13":"tag-security","14":"tag-tech","15":"tag-technology"},"share_on_mastodon":{"url":"","error":""},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/posts\/463613","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/comments?post=463613"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/posts\/463613\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/media\/463614"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/media?parent=463613"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/categories?post=463613"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/tags?post=463613"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}