A critical kernel privilege escalation that leaves no trace on disk β and how it works It started with a blog post. On April 29, 2026, Theori's research platform Xint Code quietly dropped a URL: copy.fail . Within hours, security teams across the industry were scrambling. A 732-byte Python script β shorter than most .gitignore files β was rooting every major Linux distribution in existence. No race conditions. No kernel symbols. No ASLR bypass. Just a logic bug hiding in the Linux kernel since 2017, waiting to be found. TL;DR for the Busy Reader CVE-2026-31431, nicknamed Copy Fail , is a local privilege escalation (LPE) in the Linux kernel's AF_ALG crypto subsystem. An unprivileged user can: Open a crypto socket (zero privileges required) Splice pages from /usr/bin/su into it Trigger a 4-byte write into the in-memory page cache of that binary Run su β now running attacker shellcode β and get a root shell The file on disk is never touched . No checksums fail. No integrity monitors fire.β¦
