With a hunch, and an hour of AI-assisted scanning, cybersecurity researchers identified and then figured out how to exploit a nine-year-old root escalation vulnerability affecting every Linux build since 2017.
The vulnerability, which researchers at Xint are calling “Copy Fail,” has officially been given the designation CVE-2026-31431. It allows any local user to escalate root by leveraging a logic flaw in the Linux kernel’s cryptography system. The flaw allows any unprivileged attacker to write four specific bytes of data to the in-memory copy of a readable file, to essentially piggyback on the program’s default root powers.
Copy Fail works thanks to a long history of otherwise sensible updates to the Linux kernel over the years — particularly one update from 2017, which was meant to speed up data encryption. Ironically, then, old, unpatched devices are actually in the clear here.
Considering the severity of the issue, one might imagine that exploiting it would be complex. Not so — Xint’s public proof-of-concept (PoC) exploit code on GitHub runs only 10 lines long. Luckily, a patch is just as freely downloadable.
The Risks in Copy Fail
CVE-2026-31431 works equally across all Linux distributions. It requires no funky race conditions. Where most local privilege escalation (LPE) bugs in Linux are probabilistic, Xint noted in its blog post, CVE-2026-31431 works 100% of the time. Because exploitation occurs in temporary memory, it leaves no trace of a crime on the disk, and evidence of the crime will clear as soon as the system is rebooted.
With the root-level powers it affords, there are any number of creative and destructive things a bad actor can do. “You can edit important system configuration files or important programs on the system,” explains Xint senior security researcher Tim Becker. “Through various mechanisms like that, you can achieve local privilege escalation, manipulating sensitive configurations of applications running on the system.”
Most worrying of all, he adds, “It’s very common for people to use Kubernetes clusters to deploy their applications. And this sort of vulnerability allows container escape from any pod in a Kubernetes cluster to impact the others, or to impact the host that the cluster is running on.”
The possible attack scenarios only go on from there. “Another really scary application is continuous integration (CI) runners” — agents or machines that programmatically perform tasks in a software development pipeline. “Most software engineering has some sort of continuous integration or continuous testing. Whenever someone opens a pull request containing a code change, some checks and tests will run automatically. And if it’s possible for an attacker to inject this exploit into those tests that run automatically, they can escape the container that the CI job is running in. And they can potentially access sensitive secrets that are in the environment, or even sometimes deployment keys that are in CI because your deployment happens from there.”
AI-Driven Vulnerability Research, in Practice
While world leaders, business executives, and Internet conspirators decry the Claude Mythos-induced end of the world, researchers like Becker are quietly already doing the AI-driven vulnerability research everyone’s worried about, demonstrating how that work might actually look for the foreseeable future.
“We’ve had a ton of success using our [internal AI] tool on various databases like Postgres, Redis, MariaDB, where we literally just drop the code in, don’t provide any human insight, and we get out an exploitable bug that has been there in some cases for over 20 years. So it is totally possible for AI to find deep, exploitable bugs that have been there for a long time,” he explains.
From his perspective, though, an issue so subtle and so dangerous as Copy File wouldn’t likely have been unearthed by AI alone. Instead, a Xint researcher had the insight to look for exactly such a vulnerability as Copy File, and then the AI did the grunt work of actually identifying the specifics.
“AI is changing the vulnerability research landscape significantly. Essentially everyone I know in the space is using AI to some extent now, to significantly increase their output. And this bug was no different,” Becker acknowledges. Still, for issues as intricate as Copy File, “This feels to me like something that human insight is still useful for. But just barely.”
