April 29, 2026
Root, but make it tiny
Copy Fail: 732 Bytes to Root on Every Major Linux Distribution
A tiny script allegedly turns ordinary users into admins, and commenters are freaking out
TLDR: Researchers say a tiny script can turn a normal Linux user into an all-powerful admin on many systems, while hiding the change from basic file checks. Commenters are split between alarm over “invisible” tampering and snarky forum policing, with the loudest take being that some trusted security tools may be useless here.
Linux security nerds got their latest jump scare, and the comments quickly turned into a mix of panic, eye-rolling, and dark comedy. The big claim in the post is wild: a 732-byte Python script can supposedly give a regular user full control on most major Linux systems from the last several years. Even worse, the trick changes what the computer reads in memory, while leaving the file on the hard drive looking normal. That detail is what really sent people into full doom-scroll mode.
The hottest reaction came from users horrified that common security checks might miss it entirely. One commenter basically summed up the mood by saying that if your defenses only compare files on disk, they’re “worth exactly nothing here.” That’s the kind of line that spreads because it sounds less like a technical note and more like a public dragging. Another commenter added fuel by pointing out that this wasn’t one reckless mistake, but something that appears to have been slowly introduced over years through sensible little code changes. Translation for normal humans: nobody tripped over one giant banana peel; they built the peel one update at a time.
There was also a tiny bit of forum drama when someone opened with a curt “Dup of” and dropped a Hacker News link, the classic internet equivalent of yelling, “Old news!” But the real meme energy came from the comparison to past Linux nightmares like Dirty Cow and Dirty Pipe. The vibe in the crowd: this one sounds smaller, cleaner, sneakier, and that makes it scarier.
Key Points
- •The article reports a Linux kernel logic bug, Copy Fail (CVE-2026-31431), in the authencesn cryptographic template that enables a deterministic 4-byte write into the page cache of any readable file.
- •According to the article, a 732-byte Python script can exploit the bug to corrupt a setuid binary in memory and gain root privileges on major Linux distributions shipped since 2017.
- •The article says the kernel does not mark the corrupted page dirty for writeback, leaving the on-disk file unchanged while the modified in-memory page cache remains visible to the system.
- •The finding is described as AI-assisted and based on initial research by Theori researcher Taeyang Lee, who used Xint Code to analyze the Linux crypto subsystem.
- •The article attributes the root cause to interactions among AF_ALG, splice(), and in-place AEAD decryption that cause file-backed page-cache pages to be referenced and modified through the crypto scatterlist path.