Publicly launched exploit code for an successfully unpatched vulnerability that offers root entry to nearly all releases of Linux is setting off alarm bells as defenders scramble to chase away extreme compromises inside information facilities and on private units.
The vulnerability and exploit code that exploits it had been launched Wednesday night by researchers from safety agency Theori, 5 weeks after privately disclosing it to the Linux kernel safety crew. The crew patched the vulnerability in variations 7.0, 6.19.12, 6.18.12, 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254) however few of the Linux distributions had included these fixes on the time the exploit was launched.
A single script hacks all distros
The important flaw, tracked as CVE-2026-31431 and the identify CopyFail, is a neighborhood privilege escalation, a vulnerability class that permits unprivileged customers to raise themselves to directors. CopyFail is especially extreme as a result of it may be exploited with a single piece of exploit code—launched in Wednesday’s disclosure—that works throughout all susceptible distributions with no modification. With that, an attacker can, amongst different issues, hack multi-tenant programs, escape of containers based mostly on Kubernetes or different frameworks, and create malicious pull requests that pipe the exploit code by means of CI/CD work flows.
“‘Native privilege escalation’ sounds dry, so let me unpack it,” researcher Jorijn Schrijvershof wrote Thursday. “It means: an attacker who already has some technique to run code on the machine, at the same time as probably the most boring unprivileged person, can promote themselves to root. From there they’ll learn each file, set up backdoors, watch each course of, and pivot to different programs.”
Schrijvershof added that the identical Python script Theori launched works reliably for Ubuntu 22.04, Amazon Linux 2023, SUSE 15.6, and Debian 12. The researcher continued:
