Dan Goodin, Ars Technica Security May 1, 2026 4:30 PM Dangerous New Linux Exploit Gives Attackers Root Access to Countless Computers The exploit, dubbed CopyFail and tracked as CVE-2026-31431, allows hackers to take over PCs and data center servers. The Linux vulnerabilities have been patched—but many machines remain at risk. Photo-Illustration: WIRED Staff; Getty Images Save this story Save this story Publicly released exploit code for an effectively unpatched vulnerability that gives root access to virtually all releases of Linux is setting off alarm bells as defenders scramble to ward off severe compromises inside data centers and on personal devices. The vulnerability and exploit code that exploits it were released Wednesday evening by researchers from security firm Theori, five weeks after privately disclosing it to the Linux kernel security team. The team patched the vulnerability in versions 7.0 , 6.19.12 , 6.18.12 , 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254) but few of the Linux distributions had incorporated those fixes at the time the exploit was released. A Single Script to Hack Them All The critical flaw, tracked as CVE-2026-31431 and the name CopyFail, is a local privilege escalation, a vulnerability class that allows unprivileged users to elevate themselves to administrators. CopyFail is particularly severe because it can be exploited with a single piece of exploit code—released in Wednesday’s disclosure—that works across all vulnerable distributions with no modification. With that, an attacker can, among other things, hack multi-tenant systems, break out of containers based on Kubernetes or other frameworks, and create malicious pull requests that pipe the exploit code through CI/CD work flows. “‘Local privilege escalation’ sounds dry, so let me unpack it,” researcher Jorijn Schrijvershof wrote Thursday . “It means: An attacker who already has some way to run code on the machine, even as the most boring unprivileged user, can promote themselves to root. From there they can read every file, install backdoors, watch every process, and pivot to other systems.” Schrijvershof added that the same Python script Theori released works reliably for Ubuntu 22.04, Amazon Linux 2023, SUSE 15.6, and Debian 12. The researcher continued: Why does that matter on shared infrastructure? Because “local” covers a lot of ground in 2026: every container on a shared Kubernetes node, every tenant on a shared hosting box, every CI/CD job that runs untrusted pull-request code, every WSL2 instance on a Windows laptop, every containerised AI agent given shell access. They all share one Linux kernel with their neighbors. A kernel LPE collapses that boundary. The realistic threat chain looks like this. An attacker exploits a known WordPress plugin vulnerability and gets shell access as www-data. They run the copy.fail PoC. They are now root on the host. Every other tenant is suddenly reachable, in the way I walked through in this hack post-mortem. The vulnerability does not get the attacker onto the box; it changes what happens in the next ten seconds after they land there. The vulnerability stems from a “straight-line” logic flaw in the kernel’s crypto API. Many exploits exploiting race conditions and memory corruption flaws don’t consistently succeed across kernel versions or distributions, and sometimes even on the same machine. Because the code released for CopyFail exploits a logic flaw, “reliability isn’t probabilistic, and the same script works across distributions, researchers from Bugcrowd wrote . “No race window, no kernel offset.” CopyFail gets its name because the authencesn AEAD template process (used for IPsec extended sequence numbers) doesn’t actually copy data when it should. Instead, it “uses the caller’s destination buffer as a scratch pad, scribbles 4 bytes past the legitimate output region, and never restores them,” Theori said. “The ‘copy’ of the AAD ESN bytes ‘fails’ to stay inside the destination buffer.” The Worst Linux Vulnerability in Years Other security experts echoed the perspective that CopyFail poses a serious threat, with one saying it’s the “worst make-me-root vulnerabilities in the kernel in recent times.” The most recent such Linux vulnerability was Dirty Pipe from 2022 and Dirty Cow in 2016. Both of those vulnerabilities were actively exploited in the wild. Linux distributors frequently stick with older kernel versions and backport fixes into them. There’s no indication in the disclosure deadline that Theori ever contacted the distributors. With the exploit available before fixed distributions were available, the disclosure amounts to something very similar to a zero-day vulnerability being dropped, although the stiffer term is probably “zero-day patch gap.” “The org doing the disclosure … did an absolutely terrible job of vulnerability coordination,” Will Dormann , a senior principal vulnerability analyst at Tharros Labs, said in an interview. “What is mind boggling to me is that in their writeup they both (A) list 4 affected vendors and (B) tell readers to apply vendor patches. But before firing away with the publication, they didn’t bother to see if ANY of the vendors that they list ACTUALLY HAVE PATCHES. (None do).” Attempts to contact Theori representatives weren’t successful. Distributions known to have patched the vulnerability included Arch Linux and RedHat Fedora . Those known to have released mitigation guidance at the time this post went live include: SUSE RedHat Ubuntu People seeking the status of other distributions should check with the respective vendors. Theori said that it discovered the vulnerability after its researcher, Taeyang Lee, found surface area in the crypto subsystem (specifically, splice() hands page-cache pages and scatterlist page provenance) had been underexplored. Using its AI-powered Xint code security tool, the researchers then found the bug after about an hour of scan time. The company said it has also developed an exploit that uses CopyFail to break out of Kubernetes containers. The severity of the threat posed by CopyFail and the likelihood of active exploitation is high enough to warrant all Linux users to investigate their systems immediately. Individual distributors provide useful mitigation guidance, as does the post by Schrijvershof linked above. This story originally appeared on Ars Technica . Comments Back to top You Might Also Like In your inbox: Upgrade your life with WIRED-tested gear Palantir employees wonder if they’re the bad guys Big Story: They built a legendary privacy tool —now they’re sworn enemies These AI models tried to scam me—some of them were scary good Event: How to adapt, compete, and win in the next era of business Dan Goodin is IT Security Editor at Ars Technica. ... Read More Topics Ars Technica Linux hackers vulnerabilities security cybersecurity hacking Read More OpenAI Rolls Out ‘Advanced’ Security Mode for At-Risk Accounts OpenAI is rolling out Advanced Account Security for people concerned that their ChatGPT or Codex accounts could be potential targets of phishing attacks. Lily Hay Newman Hackers Are Posting the Claude Code Leak With Bonus Malware Plus: The FBI says a recent hack of its wiretap tools poses a national security risk, attackers stole Cisco source code as part of an ongoing supply chain hacking spree, and more. Andrew Couts Newly Deciphered Sabotage Malware May Have Targeted Iran’s Nuclear Program—and Predates Stuxnet Researchers have finally cracked Fast16, mysterious code capable of silently tampering with calculation and simulation software. It was created in 2005—and likely deployed by the US or an ally. Andy Greenberg The Hack That Exposed Syria’s Sweeping Security Failures When Syrian government accounts were hijacked in March, the breach looked chaotic. But it revealed something more troubling: a state struggling with the most basic layer of cybersecurity. Danny Makki Meta Pauses Work With Mercor After Data Breach Puts AI Industry Secrets at Risk Major AI labs are investigating a security incident that impacted Mercor, a leading data vendor. The incident could have exposed key data about how they train AI models. Maxwell Zeff AI Tools Are Helping Mediocre North Korean Hackers Steal Millions One group of hackers used AI for everything from vibe coding their malware to creating fake company websites—and stole as much as $12 million in three months. Matt Burgess They Built a Legendary Privacy Tool. Now They’re Sworn Enemies There’s a lot of love all over the world for GrapheneOS, the gold standard of mobile security. There’s very little love between the two guys at the center of its history. Tiffany Ng Top 1Password Coupons This Month Save up to 28% on business and personal memberships with 1Password promo codes and deals. Scott Gilbertson 5 AI Models Tried to Scam Me. Some of Them Were Scary Good The cyber capabilities of AI models have experts rattled. AI’s social skills may be just as dangerous. Will Knight Discord Sleuths Gained Unauthorized Access to Anthropic’s Mythos Plus: Spy firms tap into a global telecom weakness to track targets, 500,000 UK health records go up for sale on Alibaba, Apple patches a revealing notification bug, and more. Matt Burgess What Happens When a Nuclear Site Is Hit? As strikes continue on Iran’s nuclear facilities, the real danger isn’t the explosion, but what happens if critical safety systems fail—and how that risk could spread across the Gulf. Jethu Abraham Your Push Notifications Aren’t Safe From the FBI Plus: Iran’s internet blackout hits the 1,000-hour mark, cryptocurrency scams result in a record amount of money stolen from Americans, and more. Matt Burgess