Copy Fail: 732 Bytes to Root on Every Linux Distribution Since 2017
CVE-2026-31431 is a local privilege escalation in the Linux kernel cryptographic subsystem. A 732-byte Python script can edit a setuid binary in memory and obtain root. CISA added it to KEV on May 7.
The Vulnerability
CVE-2026-31431, nicknamed "Copy Fail," is a local privilege escalation (LPE) vulnerability in the Linux kernel cryptographic subsystem. The flaw allows a local user to modify the kernel cached copy of a file in memory without changing the file on disk. By targeting a setuid binary, an attacker can gain root access on essentially any Linux distribution shipped since 2017.
The vulnerability was added to CISA Known Exploited Vulnerabilities (KEV) catalog on May 7, 2026. Microsoft security team published a detailed analysis confirming the flaw enables root privilege escalation across cloud environments and Kubernetes workloads.
A public exploit (a single 732-byte Python script) works reliably across all major distributions.
Why This Is Critical for Cloud and Container Environments
The threat model here extends well beyond traditional servers. In Kubernetes environments, a compromised container with this exploit can escalate to node-level root, potentially breaking out of the container sandbox entirely. Cloud providers running shared-tenancy infrastructure are exposed to cross-tenant escalation.
The vulnerability carries a CVSS score of 7.8 (High). While it requires local access, the bar for "local access" in modern infrastructure is low. Any code execution vulnerability in a web application, CI runner, or container workload is now a root escalation chain.
The Technical Mechanism
The flaw is in the kernel copy-on-write (CoW) mechanism as it interacts with the cryptographic subsystem file integrity verification. Normally, when a process modifies a memory-mapped file, the kernel creates a private copy (CoW). The bug allows an attacker to race the CoW operation against the crypto subsystem cache invalidation, resulting in the modification being applied to the kernel cached version of the original file.
For setuid binaries like /usr/bin/sudo, this means an attacker can patch the binary in the kernel page cache to skip authentication checks, execute it for root, and the on-disk binary remains untouched. Making forensic detection harder.
The CWE Mapping
CWE-362 (Concurrent Execution Using Shared Resource with Improper Synchronization): The race condition between CoW and cache invalidation is the root cause.
CWE-269 (Improper Privilege Management): The escalation from unprivileged user to root via setuid binary manipulation.
CWE-667 (Improper Locking): The cryptographic subsystem cache lock does not cover the CoW window, allowing the race.
Patch Status
All major distributions have released kernel patches:
- Ubuntu: Fixes available for 22.04 LTS, 24.04 LTS, 24.10, 26.04
- RHEL/CentOS: RHSB-2026-002 advisory with updated kernels
- Debian: Fixed in stable and testing branches
- Alpine: Fixed in 3.19+
How Deva Addresses This
Deva container scanning pipeline checks base image kernel versions against the KEV catalog. Dockerfiles specifying unpatched base images are flagged with CWE-362 and CWE-269 findings. The NIST 800-53 and FedRAMP presets include kernel-level vulnerability checks as part of the infrastructure-as-code scanning surface.
Deva Security Team
Threat research, application security analysis, and defensive engineering insights from the DevSecCode team.
Related Articles
Exchange Server XSS-to-Spoofing: CVE-2026-42897 Added to CISA KEV
A cross-site scripting flaw in on-premises Microsoft Exchange Server enables email spoofing via crafted messages. CISA added it to KEV on May 15 with a May 29 federal deadline.
Read moreNGINX Rift: An 18-Year-Old Heap Buffer Overflow Just Got a CVE and a PoC
CVE-2026-42945 is a critical heap buffer overflow in NGINX rewrite module that has existed since 2008. CVSS 9.2, public PoC, zero authentication required.
Read more