Copy.Fail: Linux Kernel Flaw Enables Undetectable Local Privilege Escalation Across Major Distributions

Security researchers have disclosed a critical Linux kernel vulnerability, designated copy.fail, that allows local attackers to escalate privileges to root-level access by exploiting a flaw in the kernel crypto API. The flaw, disclosed by Theori on April 29, 2026, takes advantage of AF_ALG sockets combined with the splice() system call to write four bytes at a time directly into the page cache of files the attacker does not own—without ever modifying the actual file on disk.

The exploit's most alarming characteristic is its universal portability. Unlike typical kernel exploits that require distribution-specific adjustments, copy.fail runs unmodified across Ubuntu, Red Hat Enterprise Linux, Debian, SUSE, Amazon Linux, and Fedora. Researchers note the absence of race conditions or per-distribution memory offsets, suggesting the underlying vulnerability affects a fundamental design flaw in how the kernel handles cryptographic operations and cache manipulation. This breadth of applicability dramatically expands the attack surface for any multi-user Linux system.

Compounding the risk, traditional integrity-monitoring tools fail to detect the attack. Because the malicious modifications occur only in memory—never touching the filesystem—security solutions such as AIDE, Tripwire, and checksum-based monitoring remain blind to the exploit. Furthermore, Kubernetes Pod Security Standards at the Restricted level and the default RuntimeDefault seccomp profile do not block the vulnerable syscall, meaning containerized workloads remain exposed without custom seccomp rules. The upstream fix reached the mainline kernel on April 1, and distributions are currently rolling out patched kernels. Systems administrators are urged to apply updates immediately, particularly on servers hosting untrusted code or multi-tenant workloads.