Another AI-Assisted Software Scan Yields 9-Year-Old Linux Bug TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsСloud SecurityHackers Use AI for Exploit Development, Attack AutomationHackers Use AI for Exploit Development, Attack AutomationbyAlexander CulafiMay 11, 20264 Min ReadСloud SecurityAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsbyNate NelsonMay 7, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryVulnerabilities & ThreatsСloud SecurityCyber RiskEndpoint SecurityNewsAnother AI-Assisted Software Scan Yields 9-Year-Old Linux BugThe proof-of-concept exploit code runs only 10 lines long, but luckily, a patch is already available.Nate Nelson,Contributing WriterApril 30, 20264 Min ReadSource: Gareth McCormack via Alamy Stock PhotoWith a hunch, and an hour of AI-assisted scanning, cybersecurity researchers identified and then figured out how to exploit a nine-year-old root escalation vulnerability affecting every Linux build since 2017.The vulnerability, which researchers at Xint are calling "Copy Fail," has officially been given the designation CVE-2026-31431. It allows any local user to escalate root by leveraging a logic flaw in the Linux kernel's cryptography system. The flaw allows any unprivileged attacker to write four specific bytes of data to the in-memory copy of a readable file, to essentially piggyback on the program's default root powers.Copy Fail works thanks to a long history of otherwise sensible updates to the Linux kernel over the years — particularly one update from 2017, which was meant to speed up data encryption. Ironically, then, old, unpatched devices are actually in the clear here.Considering the severity of the issue, one might imagine that exploiting it would be complex. Not so — Xint's public proof-of-concept (PoC) exploit code on GitHub runs only 10 lines long. Luckily, a patch is just as freely downloadable.Related:Cyber Espionage Group Targets Aviation Firms to Steal Map DataThe Risks in Copy FailCVE-2026-31431 works equally across all Linux distributions. It requires no funky race conditions. Where most local privilege escalation (LPE) bugs in Linux are probabilistic, Xint noted in its blog post, CVE-2026-31431 works 100% of the time. Because exploitation occurs in temporary memory, it leaves no trace of a crime on the disk, and evidence of the crime will clear as soon as the system is rebooted.With the root-level powers it affords, there are any number of creative and destructive things a bad actor can do. "You can edit important system configuration files or important programs on the system," explains Xint senior security researcher Tim Becker. "Through various mechanisms like that, you can achieve local privilege escalation, manipulating sensitive configurations of applications running on the system."Most worrying of all, he adds, "It's very common for people to use Kubernetes clusters to deploy their applications. And this sort of vulnerability allows container escape from any pod in a Kubernetes cluster to impact the others, or to impact the host that the cluster is running on."The possible attack scenarios only go on from there. "Another really scary application is continuous integration (CI) runners" — agents or machines that programmatically perform tasks in a software development pipeline. "Most software engineering has some sort of continuous integration or continuous testing. Whenever someone opens a pull request containing a code change, some checks and tests will run automatically. And if it's possible for an attacker to inject this exploit into those tests that run automatically, they can escape the container that the CI job is running in. And they can potentially access sensitive secrets that are in the environment, or even sometimes deployment keys that are in CI because your deployment happens from there."Related:Why Security Leadership Makes or Breaks a Pen TestAI-Driven Vulnerability Research, in PracticeWhile world leaders, business executives, and Internet conspirators decry the Claude Mythos-induced end of the world, researchers like Becker are quietly already doing the AI-driven vulnerability research everyone's worried about, demonstrating how that work might actually look for the foreseeable future."We've had a ton of success using our [internal AI] tool on various databases like Postgres, Redis, MariaDB, where we literally just drop the code in, don't provide any human insight, and we get out an exploitable bug that has been there in some cases for over 20 years. So it is totally possible for AI to find deep, exploitable bugs that have been there for a long time," he explains.From his perspective, though, an issue so subtle and so dangerous as Copy File wouldn't likely have been unearthed by AI alone. Instead, a Xint researcher had the insight to look for exactly such a vulnerability as Copy File, and then the AI did the grunt work of actually identifying the specifics.Related:How Dark Reading Lifted Off the Launchpad in 2006"AI is changing the vulnerability research landscape significantly. Essentially everyone I know in the space is using AI to some extent now, to significantly increase their output. And this bug was no different," Becker acknowledges. Still, for issues as intricate as Copy File, "This feels to me like something that human insight is still useful for. But just barely."About the AuthorNate NelsonContributing WriterNate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost.See more from Nate NelsonWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouHow Well Can You See What's in Your Cloud?Implementing CTEM: Beyond Vulnerability ManagementMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETHow Well Can You See What's in Your Cloud?Thurs, June 4, 2026 at 1:00pm ESTImplementing CTEM: Beyond Vulnerability ManagementThurs, May 21, 2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

This Digital Business article, published by TechTarget and Informa TechTarget, details the discovery of a nine-year-old Linux vulnerability, designated CVE-2026-31431, dubbed “Copy Fail” by researchers at Xint. The vulnerability stems from a logic flaw within the Linux kernel’s cryptography system, specifically related to a 2017 update intended to accelerate data encryption. Essentially, an unprivileged attacker can manipulate memory to gain root-level access. The exploit, which requires only 10 lines of code, highlights the potential for significant security risks even within seemingly stable, long-standing software systems.

The vulnerability’s impact is broad, affecting all Linux distributions and presenting a 100% success rate of exploitation. Xint senior security researcher Tim Becker emphasized that the exploit operates in temporary memory, leaving no trace on the disk and automatically clearing after a system reboot. The potential consequences are considerable: attackers could modify system configurations, manipulate applications, or, most alarmingly, exploit Kubernetes clusters for container escape and access sensitive data or deployment keys. The article further points out a particularly concerning scenario involving continuous integration (CI) runners, allowing for the injection of exploits during automated testing and subsequent access to secrets.

Researchers at Xint are employing AI-driven vulnerability research, demonstrating a method of rapidly identifying exploitable bugs within databases like Postgres, Redis, and MariaDB, utilizing AI to substantially increase their output. Becker notes that while AI doesn't entirely replace human insight – particularly in complex cases like "Copy Fail" – it dramatically speeds up the identification process. The article discusses how the AI tool, without human guidance, can uncover deeply buried vulnerabilities that have persisted for over two decades, emphasizing the evolving role of AI in cybersecurity research and threat detection. The discovery illustrates a critical area for proactive vulnerability management, particularly in systems with long operational histories.