Copy Fail (CVE-2026-31431): A Linux Kernel Vulnerability Enabling Container Escape to Host Root on Kubernetes
By
tptacek
Pure flour-power. Hearty enough to carry you through lunch.
Summary
Two weeks ago, the vulnerability Copy Fail (CVE-2026-31431) was disclosed — a dangerous Linux local-privilege escalation vulnerability that exploits a kernel memory corruption flaw without injecting code into a running kernel. It provides attackers with a repeatable, controlled 4-byte write into the Linux page cache backing any readable file, allowing them to rewrite cached file contents. The article serves as a walkthrough of using Copy Fail as a container escape primitive, demonstrating how to go from a 4-byte page cache write to achieving host root access on Kubernetes.
Key quotes
· 3 pulledCopy Fail exploits a kernel memory corruption flaw without injecting code into a running kernel, which makes it small and unusually portable.
Copy Fail gives attackers a repeatable, controlled 4-byte write into the Linux page cache backing any readable file; in other words, it allows attackers to rewrite the cached contents of files on a Linux filesystem.
To help operators determine their susceptibility to Copy Fail, we published a proof-of-concept exploit and a model attack
You might also wanna read
AI-assisted vulnerability discovery raises concerns about Linux kernel security
This opinion article discusses a troubling trend in Linux security where AI-powered tools are being used to discover and exploit kernel vuln
theregister.com·1d ago
CIFSwitch Linux Vulnerability Allows Unprivileged Users to Gain Root Access via CIFS Flaw
A new Linux local-root privilege escalation vulnerability named CIFSwitch has been disclosed by researcher Asim Manizada. The flaw combines
almalinux.org·2d ago