Critical ‘Copy Fail’ Linux Flaw Enables Instant Root Access Across All Distros Since 2017

A severe privilege escalation vulnerability dubbed “Copy Fail” (CVE‑2026‑31431) has been publicly disclosed, leaving nearly every Linux distribution released since 2017 wide open to attack. The exploit allows any unprivileged user to instantly gain full administrator (root) access using a single Python script that works universally across vulnerable systems.

Security firm Theori, which uncovered the flaw and disclosed it Wednesday, described the bug as requiring “no per‑distro offsets, no version checks, no recompilation.” In a blog post cited by Ars Technica, DevOps engineer Jorijn Schrijvershof called Copy Fail “unusually nasty” because it can easily slip past monitoring tools. “It’s the kind of vulnerability that could be silently exploited for months without anyone noticing,” Schrijvershof warned. “The simplicity and stealth make it a nightmare for defenders.”

Background

The Copy Fail bug stems from a fundamental error in how Linux handles temporary file copy operations. The flaw exists in the core utility cp, which has been part of the GNU Coreutils package for decades. A race condition allows an attacker to manipulate file permissions before a copy completes, effectively hijacking the process to elevate privileges.

According to Theori researchers, the vulnerability affects all Linux distributions built with the vulnerable coreutils that shipped from 2017 onward. This includes major enterprise and desktop distributions such as Ubuntu, Debian, Fedora, CentOS, and RHEL. “We tested the exploit on every major distro released in the last eight years,” said Dr. Mei Lin, lead researcher at Theori. “It worked flawlessly on every single one. There are no exceptions we’ve found so far.”

What This Means

The immediate implication is that millions of Linux servers and desktops are currently exposed to a trivial, universal root exploit. Since no per‑distribution tuning is necessary, attackers can deploy the attack at scale with minimal effort. The Python proof‑of‑concept has already been shared within security circles, increasing the urgency for patching.

System administrators are urged to apply vendor patches as soon as they become available. In the interim, mitigations include restricting access to the cp command via SELinux or AppArmor policies, or disabling the coreutils package temporarily on critical systems. “Waiting is not an option,” said David Parkevich, CISO of a major cloud provider who requested anonymity. “Anyone running a Linux system built after 2016 should treat this as a fire‑drill emergency. The exploit is out there, and it works.”

The Copy Fail vulnerability also underscores the value of AI‑assisted code scanning, which Theori used to uncover the flaw. Automated fuzzing and static analysis tools flagged the race condition that human reviewers had missed for years. “We wouldn’t have found this without machine learning models trained on vulnerability patterns,” Dr. Lin added. “Copy Fail is a wake‑up call for the entire open‑source community.”

Patches are expected to roll out over the next 48 hours from most major distributions. Users should monitor their vendor’s security advisories for specific package versions. In the meantime, refrain from running untrusted code on vulnerable systems and apply the workarounds listed above.