Nearly every Linux distribution released since 2017 is currently vulnerable to a security bug called “Copy Fail,” which allows any user to gain administrator privileges. The exploit, publicly disclosed as CVE-2026-31431 on Wednesday, uses a Python script that works across all of the vulnerable distributions without requiring per-distro offsets or recompilation.

Despite this, some distributions such as Arch Linux and RedHat Fedora have already released patches or mitigations. However, many others are still unpatched.

The vulnerability is particularly insidious because it can go unnoticed by monitoring tools due to page-cache corruption that never marks modified pages as dirty, meaning the kernel’s writeback machinery does not flush the changes back to disk. As a result, common checksum-based monitoring tools like AIDE, Tripwire and OSSEC will see nothing amiss.

The discovery was made with assistance from Theori’s Xint Code AI tool. Developer Jorijn Schrijvershof identified several vulnerabilities in the Linux crypto subsystem using an automated scan. According to a blog post by Lee, this was achieved by looking into the crypto subsystem and identifying that splice() can deliver page-cache references of read-only files (including setuid binaries) to crypto TX scatterlists.

A patch for Copy Fail has been added to the mainline Linux kernel on April 1st. However, as Ars Technica notes, the researchers who identified the flaw published the details publicly before all distributions could release patches, leaving many unpatched and potentially vulnerable.