According to Xint’s disclosure, the bug affects the Linux kernel’s authencesn cryptographic template when used through AF_ALG and splice(). The result is a controlled 4-byte write into the page cache of any file the local user can read, without modifying the file on disk. Xint says a 732-byte Python proof of concept was enough to gain root on tested Ubuntu, Amazon Linux, RHEL, and SUSE systems.
The dangerous part is that the corruption happens in memory, not on disk. A normal integrity check comparing file checksums may still show the file as clean because the underlying file contents have not changed. But when Linux reads or executes that file, it may use the corrupted page cache version. In Xint’s example, the exploit targets a setuid-root binary such as /usr/bin/su; once the cached version is altered, executing it can run attacker-controlled code as root.
Technically, the issue comes from an interaction between splice(), AF_ALG, and the kernel crypto subsystem. splice() can pass page-cache-backed file data into a pipe without copying it, and AF_ALG exposes crypto operations to unprivileged userspace. In the vulnerable path, page cache pages become part of a writable scatterlist during an in-place AEAD decrypt operation. The authencesn implementation then performs a scratch write past the intended output boundary, causing attacker-controlled bytes to land in the cached file page.
What makes Copy Fail especially serious is its reliability and scope. Xint describes it as a straight-line logic flaw rather than a race condition, meaning it does not depend on fragile timing like some older kernel privilege-escalation bugs. The disclosure also notes that the impact crosses container boundaries because page cache is shared at the host level, making it relevant not only to single Linux servers but also to containerized and Kubernetes environments. The fix separates the source and destination scatterlists by reverting the vulnerable in-place AEAD behavior.