A high-severity logic bug within the Linux kernel permits unprivileged attackers to jot down code to different recordsdata’ reminiscence and acquire root shell, cybersecurity agency Theori experiences.
Tracked as CVE-2026-31431 (CVSS rating of seven.8) and dubbed Copy Fail, the problem is believed to have an effect on all Linux distributions since 2017.
The security defect impacts the kernel’s authencesn Authenticated Encryption with Related Data (AEAD) template, which IPsec makes use of for Prolonged Sequence Quantity (ESN) assist.
In keeping with Theori, the problem is that Linux locations web page cache pages in a writable scatterlist, that authencesn makes use of the caller’s vacation spot scatterlist as scratch house, and {that a} 2017 optimization put web page cache pages within the writable scatterlist.
When performing byte rearrangement within the scratch house, authencesn makes a name that writes 4 bytes of code previous the AEAD tag, into the cached copy of one other file.
Copy Fail permits an attacker with native code execution privileges to change the in-memory copy of any setuid-root binary readable by the person, thus attaining root shell entry, Theori explains.
In keeping with the corporate, profitable exploitation might be achieved with a easy 732-byte Python script, on basically any Linux distribution shipped since 2017.
The vulnerability poses a excessive threat for multi-tenant Linux environments, in addition to for shared-kernel containers and CI runners executing untrusted code. The primary menace, Theori says, is that every one modifications are made straight in reminiscence, and the file on disk stays unmodified.
Copy Fail differs from each Soiled Pipe, a web page cache corruption flaw that abuses pipe buffer flags, and Soiled Cow, which exploits a race situation within the COW path, the corporate says.
Organizations are suggested to replace their Linux distributions to a set model as quickly as attainable, particularly in environments working untrusted workloads. In keeping with Theori, web page cache is shared throughout containers, and the bug results in node and cross-tenant compromise.
The patches rolled out for Copy Fail take away the optimization launched in 2017, reverting to out-of-place operation and eradicating the mechanism that “linked web page cache tag pages into the writable vacation spot scatterlist,” Theori notes.
