A severe privilege escalation vulnerability, dubbed 'Copy Fail,' exposes nearly every Linux distribution released since 2017 to complete system takeover. The flaw, tracked as CVE-2026-31431, allows any unprivileged user to instantly gain administrator (root) access using a single Python script.
The exploit works across all vulnerable distributions without requiring per-distribution offsets, version checks, or recompilation. Theori, the security firm that uncovered the bug, demonstrated the attack in a proof-of-concept released alongside Wednesday's public disclosure.
'This is a universal Linux stack escape — it bypasses all common security boundaries regardless of the distro or kernel version,' said a senior researcher at Theori. 'The script is portable and stealthy, making it a potent tool for attackers already inside a system.'
DevOps engineer Jorijn Schrijvershof described the bug as 'unusually nasty' due to its ability to evade monitoring systems. 'Because the exploit operates within normal file copy operations, standard audit logs may not flag it as malicious,' he explained in a blog post.
Background
The vulnerability resides in the way Linux handles file copy operations with specific mount flags. By triggering a race condition during the copy process, an attacker can overwrite sensitive system files, effectively granting themselves root privileges.
Theori discovered the flaw using AI-assisted scanning tools that analyze kernel code paths for subtle timing bugs. Traditional static analysis failed to catch the issue because it relies on race conditions that only manifest under precise execution order.
All mainstream distributions — including Ubuntu, Debian, Fedora, CentOS, and Arch Linux — are affected if they use kernel versions from late 2016 onward. Containerized environments and cloud instances are equally at risk because the bug operates at the filesystem level.
What This Means
For system administrators, this vulnerability represents a critical threat that can be exploited by any user who already has local access — including through compromised web applications or SSH sessions. Once exploited, the attacker gains full control over the machine, allowing data exfiltration, malware installation, and lateral movement within a network.
Theori recommends immediate patching as distributions release updates. Users can mitigate risk by restricting access to local accounts and monitoring for unusual file-copy timeouts, but a full fix requires kernel updates.
Organizations should prioritize this vulnerability due to its 'no-touch' exploitability: no external tools, no compilation, and no per-system tweaks. The Python script works out of the box on any vulnerable system.
Security teams are urged to apply updates as soon as they become available. In the interim, administrators can reduce exposure by implementing strict access controls and enabling additional logging for file copy operations.