Application security , Network Security , AI/ML , AI benefits/risks ‘Copy Fail’ bug can obtain root privileges in Linux distributions since 2017 April 30, 2026 Share By Steve Zurier (Spectral-Design via Getty Images) A logic bug in the Linux kernel called “Copy Fail” raised eyebrows because researchers found that a single 732-byte Python script can edit a setuid binary and obtain root privileges on essentially all Linux distribution shipped since 2017. Combined with the speed of AI, security researchers were also concerned because Copy Fail was found in about one hour of scan time and could take over hundreds, if not thousands, of Linux systems in short order. “In practice, it means that if an attacker gets any level of access on a typical Linux system, this bug can turn that into full system control,” said David Brumley, chief AI and science officer at Bugcrowd. In an April 29 blog post , Theori researchers said that it began with an insight from Taeyang Lee, a Theori researcher who was looking into how the Linux cryptographic subsystem interacts with page-cache data. Lee used Theori’s AI system Xint Code on his research and the 7.8 high-severity bug CVE-2026-31431 was his most important finding. Related reading: 9 AppArmor vulnerabilities expose millions of Linux systems to root access Rethinking Linux security operations New malware targets Linux network devices for DDoS, crypto mining Ryan McCurdy, vice president at Liquibase, explained that what makes Copy Fail different is not just the bug itself, it’s the combination of reach and discovery speed. The disclosure suggests a single short Python script can turn a normal local user into root across a wide range of Linux systems shipped since 2017, including environments like CI runners and container hosts that many organizations rely on every day, said McCurdy. “The other wake-up call is how it was found,” said McCurdy. “If AI-assisted tooling can surface a bug like this in about an hour, the gap between unknown vulnerability and practical exploit is shrinking fast. That means the real challenge is no longer just finding flaws. It’s whether enterprises can patch, isolate, and reduce blast radius quickly enough when vulnerability discovery starts moving at machine speed.” Bugcrowd's Brumley added that it’s important to understand that we’re looking at a local privilege escalation (LPE), not a remote exploit. “We’re not looking at a niche configuration issue, this bug affects a very large portion of modern Linux deployments across cloud, enterprise, and infrastructure environments,” Brumley said. According to Brumley, multi-tenant Linux systems are at the highest risk: any environment where the user gets a normal Unix account is immediately impacted, as those users have 1-click to get root. If multiple users share a machine, one compromised account becomes full system compromise. “It’s important now because it affects Kubernetes, Docker, and cloud-native platforms,” said Brumley. “This bug is most dangerous in infrastructure. For example, sending a malicious container through CI/CD could expose the underlying host, giving an attacker access to source code. I'm especially worried about attackers using this to leverage supply chain attacks like LiteLLM.” Noelle Murata, chief operating officer at Xcape, Inc., advised security teams to run the Linux patch right away. Murata said while some may take the name Copy Fail as a joke, it’s actually a high-severity LPE that breaks fundamental memory isolation by tricking the kernel into mismanaging file-backed pages. Murata said it’s a silent threat because it requires no complex heap grooming or return-oriented programming (ROP) chains, making it highly reliable for attackers who have already gained a foothold via web shells or compromised containers. “Beyond the kernel patch, security leaders should treat this as a catalyst to audit terminal configurations for Bracketed Paste Mode, which serves as a secondary defense against older clipboard-injection-style Copy Fail attacks,” said Murata. “Prioritize updates for public-facing Linux servers and developer workstations, as these are the primary targets for the initial access required to trigger this exploit.” Jason Soroko, a senior fellow at Sectigo, said the Copy Fail vulnerability compromises nearly a decade of foundational cloud and enterprise infrastructure. Ironically, Soroko said a significant amount of legacy medical and government installations running Linux kernels older than 2017 remain immune because they predate the specific memory optimization commit that introduced the flaw. “However, security teams face a critical emergency because this exploit is perfectly reliable and remains completely invisible to traditional endpoint detection systems,” said Soroko. “An attacker achieves instant root access by maliciously modifying the shared in-memory page cache while leaving the physical disk entirely untouched. Bypassing standard checksum defenses allows this silent memory corruption to effortlessly pierce container boundaries and shatter the core isolation protocols of modern multi-tenant architectures.” Steve Zurier Related AI/ML LiteLLM exploited within 36 hours of disclosure via SQL injection bug Steve Zurier April 29, 2026 Latest case was the second time in five weeks the Python package was exploited. Security Operations NowSecure launches new tool to reveal hidden AI in third-party mobile apps SC Staff April 29, 2026 The MARI capabilities aim to address the challenge of employees adopting mobile apps faster than security teams can evaluate them. Threat Management GlassWorm attackers activate new ‘sleeper’ extensions on Open VSX Laura French April 28, 2026 A new cluster of 73 extensions impersonating legitimate projects has been tied to the GlassWorm campaign. Related Events Cybercast Protecting Application User Data for Better Privacy, Governance, and Compliance On-Demand Event Cybercast The Next Evolution of Application Security: AI- Accelerated DevSecOps On-Demand Event Cybercast Scaling secure software in the age of AI: Turning intelligence into action On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms ACK Piggybacking Banner Border Gateway Protocol (BGP) Broadcast Broadcast Address Cache Collision Domain Domain Name Domain Name System (DNS) You can skip this ad in 5 seconds