Linux underpins most Internet server infrastructure, including web servers, cloud platforms, hosting environments, CI systems, and container clusters.<\/p>\n\n\n\n
Theori said the vulnerability was found after researcher Taeyang Lee (pictured, far right) had the key insight that there was an underexplored bug class in a specific area of Linux’s crypto subsystem.<\/p>\n\n\n\n
\u201cFrom there, Xint Code scaled the audit across the entire crypto subsystem in roughly an hour. Copy Fail was the highest-severity finding in the run,\u201d Theori stated.<\/p>\n\n\n\n
Theori said the same scan also identified other high-severity bugs, including another privilege escalation vulnerability, which remain under coordinated disclosure.<\/p>\n\n\n\n
Copy Fail is a local privilege escalation (LPE) vulnerability, meaning it does not directly let someone attack a server over the Internet.<\/p>\n\n\n\n
However, it becomes serious when an attacker already has limited code execution, a stolen low-privilege account, or access to a shared compute environment.<\/p>\n\n\n\n
In that scenario, the bug could allow ordinary users to gain root access, giving the attacker administrator-level control over the affected Linux system.<\/p>\n\n\n\n
Xint\u2019s proof-of-concept targeted the \u2018 Setuid-root programs run with elevated privileges by design, which makes them valuable targets when an attacker can influence what the kernel executes.<\/p>\n\n\n\n The researchers said their 732-byte Python proof-of-concept obtained root shells on Ubuntu, Amazon Linux, Red Hat Enterprise Linux, and SUSE test systems.<\/p>\n\n\n\n They also said that, under the right conditions, because the page cache is shared across the host, an attack could escape container boundaries.<\/p>\n\n\n\n That makes Copy Fail relevant to services like Kubernetes clusters. Theori said that the second part of its technical write-up detailing Kubernetes container escape was forthcoming.<\/p>\n\n\n\n Although Linux has had major privilege escalation vulnerabilities before, many required precise timing, repeated attempts, or version-specific exploit adjustments.<\/p>\n\n\n\n Copy Fail is different because it is a deterministic logic flaw rather than a race condition or a memory corruption bug needing custom offsets.<\/p>\n\n\n\n Theori described it as a \u201cstraight-line logic flaw\u201d, meaning the exploit follows a predictable execution path without needing to win a timing window.<\/p>\n\n\n\n The practical result is portability: Theori said the same short Python script worked across all the distributions they tested without per-kernel tuning.<\/p>\n\n\n\n \u201cThe same 732-byte Python script roots every Linux distribution shipped since 2017,\u201d Theori stated.<\/p>\n\n\n\n Theori explained that a 2017 optimisation created the vulnerability, which has gone undetected ever since.<\/p>\n\n\n\n The bug is also notable because the vulnerable feature is enabled by default in mainstream Linux distributions, and the exploit does not require kernel debugging to be turned on.<\/p>\n\n\n\n According to Theori\u2019s disclosure timeline, it reported the vulnerability to the Linux kernel security team on 23 March 2026 and received acknowledgement the following day.<\/p>\n\n\n\n By 25 March, patches were proposed and reviewed, and by 1 April, a patch was committed to the mainline Linux kernel. The patch has already rolled out to major Linux distributions.<\/p>\n\n\n\n \u201cIf you run multi-tenant Linux, shared-kernel containers, CI runners that execute untrusted code, or anything where someone you don\u2019t fully trust can \u2018 \u201cSingle-user laptop with full-disk encryption and a locked screen \u2014 far less urgent. Patch anyway.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":" An “AI hacker” called Xint Code helped a security researcher find multiple Linux kernel vulnerabilities in an hour.<\/p>\n","protected":false},"author":15,"featured_media":644809,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[92837,27],"tags":[104957,104958,104959,104956],"class_list":["post-644807","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ai","category-security","tag-copy-fail","tag-taeyang-lee","tag-theori","tag-xint-code"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/644807"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=644807"}],"version-history":[{"count":3,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/644807\/revisions"}],"predecessor-version":[{"id":644812,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/644807\/revisions\/644812"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/644809"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=644807"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=644807"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=644807"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}su<\/code><\/strong>\u2019 program, a common setuid-root utility used to switch users, including to the root user, on Linux systems.<\/p>\n\n\n\nOne attack for multiple Linux versions<\/h2>\n\n\n\n
![\"\"](\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/05\/Theori-at-RSA-Conference-2025-1200x675.jpg\")
<\/figure>\n\n\n\nexecve<\/code><\/strong>\u2019 as a regular user \u2014 patch,\u201d Theori said.<\/p>\n\n\n\n