Researchers release exploit for Linux kernel flaw CVE-2026-31431

Theori researchers publicly released exploit code on May 5 for a critical Linux kernel flaw tracked as CVE-2026-31431, or CopyFail, that lets an unprivileged user escalate to root. ^[1]

The company said it disclosed the issue privately to the Linux kernel security team on April 22, 5 weeks before the public release. ^[1]

The vulnerability affects virtually all Linux kernel versions before patched releases 7.0, 6.19.12, 6.18.12, 6.12.85, 6.6.137, 6.1.170, 5.15.204 and 5.10.254, although most distributions had not yet folded in the fixes when the exploit was released. ^[1]

The exploit comes as a single Python script and works without modification on Ubuntu 22.04, Amazon Linux 2023, SUSE 15.6 and Debian 12, according to the researchers. ^[1]

Jorijn Schrijvershof said local privilege escalation lets an attacker who can already run code on a machine, even as a low-privilege user, become root and then read files, install backdoors, watch processes and pivot to other systems. ^[1]

The issue poses broad risk for shared Linux environments, including Kubernetes nodes, containers, CI/CD pipelines and WSL2 instances, because they often share the same kernel and can lose isolation if one host is compromised. ^[1]

Linux users and administrators now face a race to deploy the patched kernel versions before exposed systems are hit, after the public release of the exploit code. ^[1]