732 bytes of Python just borked every Linux machine on earth…

Key Concepts

• Copy-Fail (CVE-2026-31431): A critical Linux kernel vulnerability allowing local privilege escalation.
• AF_ALG: A Linux kernel interface that exposes cryptographic algorithms to user space.
• ONC ESN (Authentication Encryption Extended Sequence Numbers): A specific kernel component involved in the vulnerability.
• Page Cache: A memory area in the kernel that stores file data to speed up access.
• Privilege Escalation: An exploit that allows a user to gain higher-level permissions (e.g., root access).
• AI-Driven Vulnerability Research: The use of AI agents to scan codebases and automatically generate functional exploits.

---

1. Overview of the Vulnerability

The "Copy-Fail" vulnerability (CVE-2026-31431) is a high-severity logic flaw residing in the Linux kernel. It has been present in the kernel code since 2017. The vulnerability affects virtually all Linux distributions, including Ubuntu, SUSE, Amazon Linux, Red Hat, Debian, and Arch. It has been officially confirmed by the Linux kernel team and added to CISA’s "Known Exploited Vulnerabilities" (KEV) list.

2. Technical Mechanism: How the Exploit Works

The exploit is triggered via a small Python script that leverages the AF_ALG interface.

• The Flaw: The vulnerability exists within the AF_ALG splice function. The ONC ESN component incorrectly writes four bytes of "scratch data" into what it assumes is a crypto output buffer.
• The Impact: Due to the bug, this output buffer can be redirected to the page cache of a read-only file (such as the su binary).
• The Result: By overwriting four bytes of a read-only system file, an unprivileged local user can manipulate system binaries to execute commands with root privileges.

3. Discovery and AI Involvement

The discovery of this flaw marks a significant shift in cybersecurity:

• AI-Powered Discovery: The vulnerability was not found by human researchers but by an AI agent. The agent was given a specific prompt: "Splice can deliver page cache references of read-only files to crypto TX scatter lists, could you look?"
• Efficiency: The AI agent identified the flaw and generated a functional exploit in approximately one hour of scan time.
• Market Value: While gray-market bounties for such exploits range from $10,000 to $7 million (per Crowdfence pricing), this exploit was released publicly for free by the company behind the AI agent (Theori).

4. Risk Assessment and Mitigation

• Exploitability: The vulnerability is not remotely exploitable. An attacker must already have a foothold on the system (e.g., via SSH or a compromised application) or be a local user to execute the script.
• Urgency: Despite the requirement for local access, the ease of use (via tools like Metasploit) makes it a high-priority threat.
• Recommendation: All Linux users and administrators are urged to update their kernels immediately to patch the vulnerability.

5. Synthesis and Takeaways

The Copy-Fail vulnerability serves as a stark warning regarding the evolution of cyber threats. The fact that an AI agent could identify a deep-seated kernel bug in an hour highlights that:

1. Legacy Code Risks: Vulnerabilities can remain dormant in critical infrastructure for years (in this case, since 2017).
2. AI as a Double-Edged Sword: AI is becoming a powerful tool for both offensive hacking and defensive code quality management.
3. Proactive Security: As AI-driven exploits become more common, the speed of patching and the use of AI-assisted development tools (such as Code Rabbit for workflow management and automated PR fixes) are becoming essential for maintaining system integrity.