CopyFail Linux Privilege Escalation Exploit Released, Works Across Major Distros Despite Patches

TL;DR: A publicly released Python script exploits CVE-2026-31431 to gain root on Ubuntu 22.04, Amazon Linux 2023, SUSE 15.6 and Debian 12. The flaw was patched in recent kernel versions but most distributions had not applied the fixes when the code appeared.

The vulnerability, dubbed CopyFail, is a local privilege escalation in the Linux kernel that lets any user who can execute code jump to root privileges. Researchers at security firm Theori disclosed the flaw privately to the kernel team five weeks before publishing the exploit on Wednesday evening.

Although the kernel team issued fixes for versions 7.0, 6.19.12, 6.18.12, 6.12.85, 6.6.137, 6.1.170, 5.15.204 and 5.10.254, the majority of Linux distributions had not integrated those patches at the time of release. This left systems running Ubuntu 22.04, Amazon Linux 2023, SUSE 15.6 and Debian 12 exposed.

The exploit consists of a single Python script that works unmodified across the four distributions, granting attackers full file access, the ability to install backdoors, monitor processes and pivot to other systems.

Because the vulnerability requires only local code execution, it can be chained after initial compromises such as phishing, malicious containers or compromised CI/CD pipelines.

For defenders, the issue means that any existing foothold on a Linux host can be escalated to root without needing distribution‑specific tweaks, increasing the risk of lateral movement in data centers and cloud environments.

The ease of a one‑script exploit lowers the barrier for attackers, making rapid detection and containment essential.

Apply the latest kernel updates that include the CVE-2026-31431 fix; distributions have begun backporting patches to their supported releases.

Restrict untrusted code execution with SELinux/AppArmor profiles and limit user privileges to the minimum required.

Deploy detection rules for the exploit behavior, such as monitoring for unusual ptrace or process injection attempts, and use MITRE ATT&CK technique T1068 as a reference for hunting.

Watch for distribution‑specific security advisories confirming patch availability and for any observed exploitation attempts in the wild over the coming weeks.