Home / Technology / Linux Kernel Exploit: 'Worst Make-Me-Root' Found
Linux Kernel Exploit: 'Worst Make-Me-Root' Found
1 May
Summary
- New CopyFail exploit grants root access to most Linux versions.
- Exploit code works across all vulnerable distributions without modification.
- Considered the worst Linux vulnerability in recent times.
A severe vulnerability, dubbed CopyFail (CVE-2026-31431), has emerged, allowing attackers to gain root access on most Linux systems. Exploit code was publicly released by Theori researchers five weeks after its private disclosure to the Linux kernel security team. While patches were developed for various kernel versions, few distributions had incorporated these fixes by the time the exploit code became available.
The CopyFail flaw is a local privilege escalation vulnerability, meaning an attacker with minimal access can become a system administrator. Its severity is amplified by a single, unmodifiable exploit script released by Theori that functions across all affected Linux distributions. This allows for potential compromise of multi-tenant environments, container breakouts from frameworks like Kubernetes, and malicious code injection via CI/CD pipelines.
Researchers noted that the exploit's reliability stems from a logic flaw in the kernel's crypto API, avoiding common issues like race conditions or kernel offset dependencies. The vulnerability's name originates from a flaw in the authentication AEAD template process where data is not properly copied, leading to a buffer overflow.
Security experts have deemed CopyFail the "worst make-me-root vulnerabilities in the kernel in recent times," comparable to Dirty Pipe and Dirty Cow. The public release of the exploit before widespread patches creates a "zero-day patch gap." Some distributions like Arch Linux and RedHat Fedora have patched the vulnerability, while others such as SUSE, RedHat, and Ubuntu have provided mitigation guidance.
