Linux Vulnerability 'Copy Fail' Exploited in the Wild
Attackers are actively exploiting a Linux vulnerability, dubbed 'Copy Fail', which allows for total control of a system with authenticated local access. The vulnerability, identified as CVE-2026-31431, affects mainstream Linux kernels built since 2017. Theori, the company that discovered the bug, used AI to find and initially disclose it, but the disclosure has been criticized for lacking technical details and containing AI-generated language that was long on bluster.
Discovery and Disclosure
Theori's AI-powered penetration testing platform, Xint, discovered the local privilege-escalation flaw in a Linux kernel module and reported it to the Linux kernel security team on March 23. Major Linux distributions affected by the vulnerability had issued patches prior to Theori's disclosure, which it published alongside a proof-of-concept exploit.
The Cybersecurity and Infrastructure Security Agency added CVE-2026-31431 to its known exploited vulnerabilities catalog on Friday. Researchers have yet to determine how many organizations have been impacted by the flaw, but they noted that critical requirements for exploitation, specifically local access achieved through a separate exploit or pathway to unauthorized access, should limit potential exposure.
Limiting Factors and Potential Impact
According to Spencer McIntyre, a secure researcher at Rapid7, the attacker would need to have already established a foothold on the target system either through some means of legitimate access or another exploit. "That's a large limiting factor since this vulnerability would therefore need to be paired with another," he said.
Caitlin Condon, vice president of security research at VulnCheck, noted that the exploit is real, but teams now have to do additional validation to know how to parse the extreme AI FUD from Theori's blog post. "It's not helpful that the blog is AI slop, because it detracts from technical reality," she added.
Theori's Response and Withholding of Details
Theori acknowledges it used AI to discover and describe the vulnerability, explaining that it's focusing on finding and fixing a large amount of defects. Tim Becker, senior security researcher at Theori, said the company used AI to help craft the disclosure site and the blog post to help speed things up, but all material was thoroughly reviewed by internal teams for accuracy.
Theori is intentionally withholding additional details until the patch is broadly applied, Becker added. "We stand by our technical description of the vulnerability. Helping downstream users to understand the impact of a security bug has always been a challenge for security researchers," he said.
Implications and Automated Exploitation
'Copy Fail' allows for trivial privilege escalation on most desktop and server Linux distributions, and has implications for containerization, including Kubernetes. Other researchers have drawn similar conclusions, noting that exploitation can be automated and doesn't require specialization.
Since the vulnerability was disclosed five days ago, hundreds of additional proof-of-concept exploits have surfaced. Condon noted that the majority of these appear to be copycat AI PoCs that do nothing but add banners or different colors to the command-line interface. Many new PoCs are simply ports of the original AI PoC to a different programming language.
- Organizations should exercise caution when running untested research artifacts, including AI-generated exploit code that isn't fully explained.
- Theori's reports contain enough information for organizations to quickly triage and validate its findings, according to Becker.
Source: CyberScoop