Theori · 2026-04-29 · major
Copy Fail (CVE-2026-31431) — AI-Assisted Scan Finds 9-Year-Old Linux Root Exploit in About an Hour
Theori's AI-driven security scanner Xint Code surfaced CVE-2026-31431, a logic flaw in the Linux kernel's authencesn AEAD path. A 4-byte page-cache write through AF_ALG and splice grants unprivileged users root on every major distro shipped since 2017.
Theori's AI-driven scanner Xint Code surfaced a 9-year-old Linux kernel logic bug in roughly an hour, with a 732-byte Python proof-of-concept.
Key specs
| GitHub stars | 412 |
|---|---|
| Cve | CVE-2026-31431 |
| Scan time | ~1 hour |
| Poc size | 732 bytes |
| Affected since | 2,017 |
| Hn points | 615 |
What is it?
CVE-2026-31431, nicknamed Copy Fail, is an unprivileged-to-root Linux kernel vulnerability in the authencesn AEAD path. Theori found it using Xint Code, a security research tool that runs guided scans across kernel subsystems based on an attack-surface description from a human researcher.
How does it work?
splice() places page-cache references for readable files (including setuid binaries) into AF_ALG crypto scatterlists. A 2017 in-place optimization in authencesn writes a 4-byte authentication tag back into that page-cache, corrupting the cached file content for every reader. Chaining this against /etc/sudoers or a setuid binary yields root.
Why does it matter?
Every mainstream distro shipped since 2017 — Ubuntu, RHEL, Amazon Linux, SUSE, Debian, Arch — is exposed to a local-root escalation. The proof-of-concept fits in 732 bytes of pure Python with no third-party dependencies, so disclosure-day mitigation is now urgent for any multi-tenant Linux box.
Who is it for?
Linux infrastructure teams, kernel maintainers, security engineers
Try it
echo 'install algif_aead /bin/false' | sudo tee /etc/modprobe.d/disable-algif.conf && sudo rmmod algif_aead