A security researcher has published a 732-byte Python script that achieves root access on virtually every Linux distribution released since 2017. The exploit, dubbed "Copy Fail" (CVE-2026-31431), targets a logic flaw in the Linux kernel's authencesn module, chaining it through AF_ALG and splice() to write directly to the page cache. Unlike most Linux privilege escalations, this requires no race window or kernel-specific offsets — just an unprivileged local user account.

The vulnerability affects all major distributions including Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 14, and SUSE 16, along with Debian, Arch, Fedora, and others running affected kernels. The kernel crypto API (AF_ALG) ships enabled by default in almost every mainstream distro, meaning the attack surface is enormous. Organizations running multi-tenant Linux hosts, Kubernetes clusters, CI runners, or any shared kernel environment face the highest risk — any untrusted user can become root.

Xint Code discovered the bug using automated scanning of the Linux crypto subsystem, spending roughly one hour on the search. The proof-of-concept is available at copy.fail for defenders to verify their systems. Patching involves updating to a kernel with mainline commit a664bf3d603d, or temporarily disabling the algif_aead module as a mitigation.