AI Finds Nine-Year Linux Kernel Zero-Day

AI tooling helped uncover Copy Fail, a Linux kernel zero-day that has existed since 2017.

A vulnerability researcher at Theori found the bug in the Linux kernel, assigned as CVE-2026-31431, and the details matter because this is a local flaw with root impact. The issue dates back to a 2017 optimization in authenticated encryption code, and the public write-up says the bug can be triggered on systems shipped since then.

What Copy Fail actually does

Copy Fail is a logic bug in the Linux kernel’s authencesn cryptographic template. In plain English, it lets a local user with no special privileges trigger a controlled four-byte write into the page cache of a readable file.

That sounds small, but kernel bugs rarely stay small once an attacker can shape memory writes. The report says exploitation can lead to root access on affected Linux systems, and that the issue affects distributions shipped since 2017.

• No network access is required
• No kernel debugging features are required
• No pre-installed exploit primitives are required
• Physical access and an unprivileged local account are still needed

That last detail matters. This is not a remote worm-style flaw that spreads across the internet on its own. It is a local privilege escalation path, which makes it especially relevant for shared machines, lab systems, developer workstations, and container hosts where one user account may be enough to start trouble.

How AI helped find a bug from 2017

Taeyang Lee, a vulnerability researcher at Theori, said he used Xint.io and its source analysis tool Xint Code to find the flaw. That detail matters because it shows where AI is already useful in security work: not writing exploits from scratch, but scanning large codebases for odd logic paths and missed assumptions.

“We found a vulnerability in the Linux kernel that can lead to root privileges,” said Taeyang Lee in Theori’s disclosure.

The timeline is tight. Lee reported the issue to the Linux kernel security team on March 23, the team started patching within days, and the CVE landed on April 22. Theori then published its disclosure seven days later, along with a proof-of-concept so defenders could test their own systems.

That kind of response is what you want from a kernel security incident: fast triage, public tracking, and a patch that lands before the story drifts into rumor. It also shows why AI-assisted review is getting attention inside offensive security shops. If a tool can surface an old bug buried in a code path that has been live for years, it can save a lot of manual reading time.

Why this matters for Linux admins

The practical risk is highest in places where multiple users share a machine or where local access is easier to obtain than it should be. Think workstations with weak account separation, build servers, container clusters, and research environments.

Theori says the patch is already available, and most major distributions have moved to fix it, including Debian, Ubuntu, SUSE, and Red Hat. The researchers specifically told users to update to a kernel version that includes commit a664bf3d603d from mainline.

• Attack type: local privilege escalation
• Impact: possible root access
• Risk rating: CVSS 7.8
• Affected systems: Linux distributions shipped since 2017
• Fix: update to a kernel containing commit a664bf3d603d

If you run shared Linux infrastructure, the immediate task is simple: check vendor advisories, patch the kernel, and verify the fix on every host that allows local users. If you manage container platforms, treat this like a host-level issue, because containers do not help if the kernel underneath is vulnerable.

What this says about AI in vulnerability research

This story is a good reminder that AI is becoming useful in the parts of security work that involve reading huge amounts of code and spotting strange edge cases. Theori did not claim the tool magically invented a bug; it used AI-assisted analysis to surface something a human researcher could then validate.

That distinction matters. Security teams should expect more findings like this, especially in mature codebases where old optimizations and compatibility fixes can hide for years. The real question is not whether AI will replace kernel researchers. It is whether teams will patch faster than the next local flaw gets found.

For now, the actionable takeaway is straightforward: if your Linux fleet has not been updated recently, treat this as a priority patch and confirm the kernel build includes the upstream fix. The next interesting question is whether AI-guided review starts finding similar bugs in other long-lived subsystems before attackers do.