Publicly launched exploit code for an successfully unpatched vulnerability that offers root entry to just about all releases of Linux is setting off alarm bells as defenders scramble to push back extreme compromises inside knowledge facilities and on private gadgets.
The vulnerability and exploit code that exploits it have been released Wednesday evening by researchers from safety agency Theori, 5 weeks after privately disclosing it to the Linux kernel safety group. The group patched the vulnerability in variations 7.0, 6.19.12, 6.18.12, 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254) however few of the Linux distributions had included these fixes at the time the exploit was launched.
A Single Script to Hack Them All
The vital flaw, tracked as CVE-2026-31431 and the title CopyFail, is an area privilege escalation, a vulnerability class that permits unprivileged customers to elevate themselves to directors. CopyFail is notably extreme as a result of it may be exploited with a single piece of exploit code—launched in Wednesday’s disclosure—that works throughout all susceptible distributions with no modification. With that, an attacker can, amongst different issues, hack multi-tenant programs, escape of containers primarily based on Kubernetes or different frameworks, and create malicious pull requests that pipe the exploit code by way of CI/CD work flows.
“‘Native privilege escalation’ sounds dry, so let me unpack it,” researcher Jorijn Schrijvershof wrote Thursday. “It means: An attacker who already has a way to run code on the machine, whilst the most boring unprivileged person, can promote themselves to root. From there they’ll learn each file, set up backdoors, watch each course of, and pivot to different programs.”
Schrijvershof added that the identical Python script Theori launched works reliably for Ubuntu 22.04, Amazon Linux 2023, SUSE 15.6, and Debian 12. The researcher continued:
Why does that matter on shared infrastructure? As a result of “native” covers plenty of floor in 2026: each container on a shared Kubernetes node, each tenant on a shared internet hosting field, each CI/CD job that runs untrusted pull-request code, each WSL2 occasion on a Home windows laptop computer, each containerised AI agent given shell entry. All of them share one Linux kernel with their neighbors. A kernel LPE collapses that boundary.
The life like risk chain appears like this. An attacker exploits a identified WordPress plugin vulnerability and will get shell entry as www-data. They run the copy.fail PoC. They are now root on the host. Each different tenant is out of the blue reachable, in the means I walked by way of on this hack autopsy. The vulnerability does not get the attacker onto the field; it adjustments what occurs in the subsequent ten seconds after they land there.
The vulnerability stems from a “straight-line” logic flaw in the kernel’s crypto API. Many exploits exploiting race conditions and reminiscence corruption flaws don’t persistently succeed throughout kernel variations or distributions, and typically even on the identical machine. As a result of the code launched for CopyFail exploits a logic flaw, “reliability isn’t probabilistic, and the identical script works throughout distributions, researchers from Bugcrowd wrote. “No race window, no kernel offset.”
CopyFail will get its title as a result of the authencesn AEAD template course of (used for IPsec prolonged sequence numbers) doesn’t truly copy knowledge when it ought to. As a substitute, it “makes use of the caller’s vacation spot buffer as a scratch pad, scribbles 4 bytes previous the professional output area, and by no means restores them,” Theori stated. “The ‘copy’ of the AAD ESN bytes ‘fails’ to keep inside the vacation spot buffer.”
The Worst Linux Vulnerability in Years
Different safety consultants echoed the perspective that CopyFail poses a critical risk, with one saying it’s the “worst make-me-root vulnerabilities in the kernel in current occasions.”
The newest such Linux vulnerability was Dirty Pipe from 2022 and Dirty Cow in 2016. Each of these vulnerabilities have been actively exploited in the wild.
Disclaimer: This article is sourced from external platforms. OverBeta has not independently verified the information. Readers are advised to verify details before relying on them.
