A new high-security zero-day vulnerability that has lurked in the Linux kernel since 2017 has just been found with the help of AI.
This nine-year-old flaw, dubbed ‘Copy Fail’, was discovered by Taeyang Lee, a vulnerability researcher at offensive security firm Theori
Lee openly disclosed he used Xint Code, a source code analyzing tool part of Theori’s AI-driven penetration testing platform, Xint.io, to discover the vulnerability.
He reported the vulnerability to the Linux kernel security team on March 23, who started working on a patch over the next few days.
The Linux kernel security team assigned Copy Fail a unique CVE identifier, CVE-2026-31431, on April 22 and Xint.io publicly disclosed it seven days later.
Copy Fail: An Old Linux Kernel Vulnerability
Copy Fail is a logic bug in the Linux kernel’s authencesn cryptographic template. It lets an unprivileged local user trigger a deterministic, controlled four-byte write into the page cache of any readable file on the system.
Exploiting this vulnerability can allow an attacker to gain root access to the Linux kernel of a machine for all Linux distributions shipped since 2017.
While it requires no network access, no kernel debugging features and no pre-installed primitives to successfully exploit the vulnerability, the attacker must have physical access to the target machine, with an unprivileged local user account.
The vulnerability poses a risk to multi-user shared systems, container clusters (Kubernetes, Docker, etc.), and similar environments. A regular user could potentially access other users’ data as a result.
The vulnerability has been attributed a high-severity rating (CVSS) of 7.8.
Theori has published a proof-of-concept (PoC) exploit so defenders can verify their own systems and validate vendor patches.
The patch is now available. It reverts the optimization for Authenticated Encryption with Associated Data (AEAD) operations that was added in 2017.
“Update your distribution’s kernel package to a version that includes commit a664bf3d603d from the main branch,” the researchers said.
Most major Linux distributions, such as Debian, Ubuntu, SUSE and Red Hat now provide this fix.
