explaingit

theori-io/copy-fail-cve-2026-31431

3,767PythonAudience · researcherComplexity · 3/5Setup · moderate

TLDR

A proof-of-concept exploit for CVE-2026-31431, a Linux kernel bug discovered with AI-assisted analysis that lets a local user with limited access gain full root control, confirmed working on Ubuntu 24.04, RHEL 10.1, Amazon Linux 2023, and SUSE 16.

Mindmap

mindmap
  root((Copy Fail CVE))
    What it does
      Local priv escalation
      Root access bypass
      9 year old bug
    Affected systems
      Ubuntu 24.04
      RHEL 10.1
      Amazon Linux 2023
      SUSE 16
    Discovery
      AI-assisted analysis
      Theori Xint Code
    Use cases
      Vuln testing
      Security research
      Patch validation
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Test whether your Linux systems running Ubuntu 24.04, RHEL 10.1, Amazon Linux 2023, or SUSE 16 are vulnerable before applying kernel patches

USE CASE 2

Study the mechanics of a real kernel privilege escalation bug for security research or CTF preparation

USE CASE 3

Use as a reference case when auditing or hardening Linux environments against local privilege escalation

Tech stack

PythonLinux kernel

Getting it running

Difficulty · moderate Time to first run · 30min

Must be run only in an isolated VM with a vulnerable kernel version, do not run on production systems.

In plain English

Copy Fail is the name given to a local privilege escalation vulnerability in the Linux kernel, tracked as CVE-2026-31431. A local privilege escalation vulnerability is a security flaw that allows someone who already has limited (unprivileged) access to a computer running Linux to gain full administrative (root) control, bypassing the restrictions the system is supposed to enforce. The vulnerability was discovered by Theori, a security research firm, using a tool they call Xint Code, which the project description identifies as an AI-assisted security analysis tool. The description notes that the bug had existed in the Linux kernel for approximately nine years before being identified. CVE numbers are assigned to publicly disclosed security vulnerabilities so that vendors and administrators can track and apply fixes. The README for this repository is very brief. It links to a technical writeup on Theori's Xint Code blog for anyone who wants to understand the mechanics of the bug, and provides a table showing the Linux distributions and kernel versions on which the exploit was confirmed to work. These include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16. No setup instructions, build steps, or usage details are given in the README. The repository is written in Python and appears to be a proof-of-concept exploit released as part of responsible disclosure practices common in security research. Anyone wanting full technical detail should read the linked writeup.

Copy-paste prompts

Prompt 1
Explain how CVE-2026-31431 allows a local unprivileged user to escalate to root on Ubuntu 24.04, and which kernel code path is exploited.
Prompt 2
What kernel patches or version updates should I apply to protect Ubuntu 24.04 and RHEL 10.1 systems against CVE-2026-31431?
Prompt 3
Set up a safe isolated VM environment to test this Linux kernel privilege escalation proof-of-concept without risking a production system.
Prompt 4
Summarize the Copy Fail vulnerability in terms a developer without deep kernel experience can understand, focusing on what went wrong and why it existed for nine years.
Prompt 5
Walk me through running this exploit in a test VM and interpreting the output to confirm whether the system is vulnerable.
Open on GitHub → Explain another repo

← theori-io on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.