The publicly released exploit code for an effectively unpatched vulnerability that gives root access to virtually all releases of Linux is raising alarm bells as defenders scramble to prevent serious compromises in data centers and personal devices.
It was the vulnerability and the exploit code that exploited it was released on Tuesday Five weeks after the Linux kernel was privately disclosed to the security team by researchers at security firm Theori. The team fixed the vulnerability in versions 7.0, 6.19.12, 6.18.126.12.85, 6.6.137, 6.1.170, 5.15.204 and 5.10.254).
A single script breaks all distros
The critical flaw, tracked as CVE-2026-31431 and named CopyFail, is local privilege elevation, a class of vulnerability that allows unprivileged users to elevate themselves to administrators. CopyFail is particularly severe because it can be exploited with a single piece of exploit code that works on all vulnerable distributions without modification, according to Wednesday’s disclosure. With this, an attacker can, among other things, compromise multi-tenant systems, exit containers based on Kubernetes or other frameworks, and create malicious pull requests via exploit code. CI/CD workflows.
Researcher Jorijn Schrijvershof says, “‘Raising local privilege’ sounds dry, so let me unpack it.” wrote Thursday. “This means that an attacker who already has a way to run code on a machine, even the most boring unprivileged user, can turn themselves into root. From there, they can read every file, install backdoors, monitor every process, and invade other systems.”
Schrijvershof added that the same Python script works reliably for Ubuntu 22.04, Amazon Linux 2023, SUSE 15.6 and Debian 12 with Theori release. The researcher continued:
