New kernel exploit bypasses file integrity monitoring while writing to owned files across major distributions.
Summary
- Copy.fail vulnerability allows local attackers to escalate privileges by writing to files they don’t own
- Exploit works across Ubuntu, RHEL, Debian, SUSE, Amazon Linux and Fedora without modification
- File integrity tools like AIDE and Tripwire cannot detect the attack as disk files remain unchanged
A critical Linux kernel vulnerability dubbed “copy.fail” enables local privilege escalation across major distributions through a novel attack that bypasses traditional file integrity monitoring systems.
The vulnerability was disclosed by security research firm Theori on 29 April 2026 along with a working proof-of-concept exploit. The attack combines the kernel crypto API (AF_ALG sockets) with the splice() system call to write data directly into the page cache of files the attacker does not own.
Technical Details
The exploit allows attackers to write four bytes at a time straight into a file’s page cache without modifying the actual file on disk. This means traditional file integrity monitoring tools including AIDE, Tripwire and checksum-based systems will not detect the compromise.
According to security researcher Bruce Schneier, the vulnerability represents “the worst Linux vulnerability in years.” The attack works without race conditions or distribution-specific memory offsets, making it highly reliable across platforms.
Affected Systems
The exploit works unmodified across multiple major Linux distributions including Ubuntu, Red Hat Enterprise Linux (RHEL), Debian, SUSE, Amazon Linux and Fedora. This broad compatibility makes the vulnerability particularly dangerous for enterprise environments running mixed Linux infrastructures.
The vulnerability affects the Linux kernel’s crypto API implementation, specifically the AF_ALG socket interface that allows userspace programs to access kernel cryptographic functions.
Why It Matters
This vulnerability poses significant risk to enterprise Linux environments because it enables reliable privilege escalation without triggering file integrity monitoring systems that many organisations rely on for breach detection. The attack’s compatibility across major distributions means a single exploit can compromise diverse Linux infrastructures.
The inability of AIDE, Tripwire and similar tools to detect these attacks undermines a key security control layer, potentially allowing persistent compromise to go undetected during routine security audits.
What To Do Now
- Monitor security advisories from your Linux distribution vendors for patches addressing the copy.fail vulnerability
- Review logs for unusual AF_ALG socket or splice() system call activity if your monitoring capabilities support this
- Consider implementing additional runtime security controls beyond file integrity monitoring
