Dangerous New Linux Exploit Gives Attackers Root Access to Countless Computers

Publicly released exploit codification for an efficaciously unpatched vulnerability that gives basal entree to virtually each releases of Linux is mounting disconnected alarm bells arsenic defenders scramble to ward disconnected terrible compromises wrong information centers and connected idiosyncratic devices.

The vulnerability and exploit codification that exploits it were released Wednesday evening by researchers from information steadfast Theori, 5 weeks aft privately disclosing it to the Linux kernel information team. The squad patched the vulnerability successful versions 7.0, 6.19.12, 6.18.12, 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254) but fewer of the Linux distributions had incorporated those fixes astatine the clip the exploit was released.

A Single Script to Hack Them All

The captious flaw, tracked arsenic CVE-2026-31431 and the sanction CopyFail, is simply a section privilege escalation, a vulnerability people that allows unprivileged users to elevate themselves to administrators. CopyFail is peculiarly terrible due to the fact that it tin beryllium exploited with a azygous portion of exploit code—released successful Wednesday’s disclosure—that works crossed each susceptible distributions with nary modification. With that, an attacker can, among different things, hack multi-tenant systems, interruption retired of containers based connected Kubernetes oregon different frameworks, and make malicious propulsion requests that tube the exploit codification done CI/CD enactment flows.

“‘Local privilege escalation’ sounds dry, truthful fto maine unpack it,” researcher Jorijn Schrijvershof wrote Thursday. “It means: An attacker who already has immoderate mode to tally codification connected the machine, adjacent arsenic the astir boring unprivileged user, tin beforehand themselves to root. From determination they tin work each file, instal backdoors, ticker each process, and pivot to different systems.”

Schrijvershof added that the aforesaid Python publication Theori released works reliably for Ubuntu 22.04, Amazon Linux 2023, SUSE 15.6, and Debian 12. The researcher continued:

Why does that substance connected shared infrastructure? Because “local” covers a batch of crushed successful 2026: each instrumentality connected a shared Kubernetes node, each tenant connected a shared hosting box, each CI/CD occupation that runs untrusted pull-request code, each WSL2 lawsuit connected a Windows laptop, each containerised AI cause fixed ammunition access. They each stock 1 Linux kernel with their neighbors. A kernel LPE collapses that boundary.

The realistic menace concatenation looks similar this. An attacker exploits a known WordPress plugin vulnerability and gets ammunition entree arsenic www-data. They tally the copy.fail PoC. They are present basal connected the host. Every different tenant is abruptly reachable, successful the mode I walked done successful this hack post-mortem. The vulnerability does not get the attacker onto the box; it changes what happens successful the adjacent 10 seconds aft they onshore there.

The vulnerability stems from a “straight-line” logic flaw successful the kernel’s crypto API. Many exploits exploiting contention conditions and representation corruption flaws don’t consistently win crossed kernel versions oregon distributions, and sometimes adjacent connected the aforesaid machine. Because the codification released for CopyFail exploits a logic flaw, “reliability isn’t probabilistic, and the aforesaid publication works crossed distributions, researchers from Bugcrowd wrote. “No contention window, nary kernel offset.”

CopyFail gets its sanction due to the fact that the authencesn AEAD template process (used for IPsec extended series numbers) doesn’t really transcript information erstwhile it should. Instead, it “uses the caller’s destination buffer arsenic a scratch pad, scribbles 4 bytes past the morganatic output region, and ne'er restores them,” Theori said. “The ‘copy’ of the AAD ESN bytes ‘fails’ to enactment wrong the destination buffer.”

The Worst Linux Vulnerability successful Years

Other information experts echoed the position that CopyFail poses a superior threat, with 1 saying it’s the “worst make-me-root vulnerabilities successful the kernel successful caller times.”

The astir caller specified Linux vulnerability was Dirty Pipe from 2022 and Dirty Cow successful 2016. Both of those vulnerabilities were actively exploited successful the wild.