A dangerous new Linux exploit gives attackers access to countless computers

Exploit released publicly Code for a yet-to-be-patched security vulnerability that grants root access to nearly all versions of Linux is setting off alarm bells as defenders scramble to stave off severe compromises inside data centers and on personal devices.

The vulnerability and the exploit code that exploits it were released Wednesday evening by researchers from security firm Theori, five weeks after they were secretly revealed to the Linux kernel security team. The team patched the vulnerability in versions 7.0, 6.19.12, 6.18.12, 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254) but few Linux distributions integrated these fixes at the time of releasing the exploit.

One script to hack them all

The critical flaw, tracked as CVE-2026-31431 and named CopyFail, is a local privilege escalation, a class of vulnerability that allows unprivileged users to elevate themselves to administrator level. CopyFail is particularly dangerous because it can be exploited using a single piece of exploit code — released in a disclosure on Wednesday — that runs across all vulnerable distributions without any modification. Through this, an attacker can, among other things, compromise multi-tenant systems, compromise containers based on Kubernetes or other frameworks, and create malicious pull requests that transmit exploit code across CI/CD workflows.

“The term ‘local privilege escalation’ sounds dry, so let me explain it,” researcher Joren Schrivershoff wrote on Thursday. “That means: An attacker who already has some way to run code on the device, even the most bored and disadvantaged user, can upgrade himself to root. From there he can read every file, install backdoors, watch every process, and morph into other systems.”

Schrijvershof added that the same Python script Theori released worked reliably for Ubuntu 22.04, Amazon Linux 2023, SUSE 15.6, and Debian 12. The researcher continued:

Why does this matter on shared infrastructure? Because “on-premises” covers a lot of things in 2026: every container on a shared Kubernetes node, every tenant on a shared hosting box, every CI/CD task running untrusted pull request code, every WSL2 instance on a Windows laptop, every AI agent in a container granted access. They all share a single Linux kernel with their neighbors. The LPE kernel collapses those boundaries.

A realistic threat chain looks like this. An attacker exploits a known vulnerability in a WordPress plugin and gains access to a shell named www-data. They run the Copy.fail PoC. They are now rooted on the host. Every other tenant is suddenly accessible, the way you walked into this post-mortem hack. The vulnerability does not lead to the attacker gaining access to the box; It changes what happens in the next 10 seconds after they land there.

The vulnerability stems from a “straight line” logic flaw in the kernel’s cryptographic API. Many exploits that exploit race conditions and memory corruption flaws do not always succeed across kernel versions or distributions, sometimes even on the same machine. Because the code released for CopyFail exploits a logic flaw, “reliability is not probabilistic, and the same script runs across distributions,” researchers from Bugcrowd wrote. “No race window, no kernel offset.”

CopyFail gets its name because the EAAD authentication template process (used for extended IPsec sequence numbers) doesn’t actually copy the data when it should. Instead, it “uses the caller’s destination buffer as a scratchpad, scribbles 4 bytes past the legitimate output area, and never gets it back,” Theory said. A copy of the AAD ESN bytes “fails” to remain within the destination buffer.

The worst Linux vulnerability in years

Other security experts echoed the view that CopyFail poses a serious threat, with one saying it’s “the worst vulnerabilities I’ve had to root in the kernel lately.”

The most recent Linux vulnerability was Dirty Pipe from 2022 and Dirty Cow in 2016. Both of these vulnerabilities have been actively exploited in the wild.