Nine-Year-Old Zero-Day Flaw in Linux Kernel Discovered by AI-Equipped Security Researcher

News

Written by

Photo of Kevin Poireault

Kevin Poireault

Reporter, Infosecurity Magazine

A new high-security zero-day vulnerability that has lurked in the Linux kernel since 2017 has just been found with the help of AI.

This nine-year-old flaw, dubbed ‘Copy Fail’, was discovered by Taeyang Lee, a vulnerability researcher at offensive security firm Theori

Lee openly disclosed he used Xint Code, a source code analyzing tool part of Theori’s AI-driven penetration testing platform, Xint.io, to discover the vulnerability.

He reported the vulnerability to the Linux kernel security team on March 23, who started working on a patch over the next few days.

The Linux kernel security team assigned Copy Fail a unique CVE identifier, CVE-2026-31431, on April 22 and Xint.io publicly disclosed it seven days later.

Copy Fail: An Old Linux Kernel Vulnerability

Copy Fail is a logic bug in the Linux kernel's authencesn cryptographic template. It lets an unprivileged local user trigger a deterministic, controlled four-byte write into the page cache of any readable file on the system.

Exploiting this vulnerability can allow an attacker to gain root access to the Linux kernel of a machine for all Linux distributions shipped since 2017.

While it requires no network access, no kernel debugging features and no pre-installed primitives to successfully exploit the vulnerability, the attacker must have physical access to the target machine, with an unprivileged local user account.

The vulnerability poses a risk to multi-user shared systems, container clusters (Kubernetes, Docker, etc.), and similar environments. A regular user could potentially access other users' data as a result.

The vulnerability has been attributed a high-severity rating (CVSS) of 7.8.

Theori has published a proof-of-concept (PoC) exploit so defenders can verify their own systems and validate vendor patches.

The patch is now available. It reverts the optimization for Authenticated Encryption with Associated Data (AEAD) operations that was added in 2017.

"Update your distribution’s kernel package to a version that includes commit a664bf3d603d from the main branch," the researchers said.

Most major Linux distributions, such as Debian, Ubuntu, SUSE and Red Hat now provide this fix.

You may also like

  1. FIRST CEO Calls for Global CVE Collaboration amid AI Vulnerability Tsunami

    Interview

  2. AI Companies to Play Bigger Role in CVE Program, Says CISA

    News

  3. New Zero-Click Flaw in Claude Desktop Extensions, Anthropic Declines Fix

    News

  4. Two Critical Flaws in n8n AI Workflow Automation Platform Allow Complete Takeover

    News

  5. Claude Desktop Extensions Vulnerable to Web-Based Prompt Injection

    News

What’s Hot on Infosecurity Magazine?