A severe Linux kernel vulnerability, dubbed copy.fail, enables local privilege escalation, allowing attackers to write data into files they do not own. This exploit leverages the kernel crypto API and the splice() function to modify the page cache of a file, all without altering the file on disk. The vulnerability affects a wide range of Linux distributions, including Ubuntu, RHEL, Debian, and Fedora, with no modifications needed for the exploit to work across these platforms. Theori disclosed the vulnerability on April 29, 2026, along with a working proof of concept1. This vulnerability is particularly concerning as it can bypass traditional monitoring tools such as AIDE and Tripwire. The fact that the file on disk remains unchanged makes it challenging to detect, so security teams must prioritize patching this vulnerability to prevent potential attacks, as an unpatched system can be exploited by attackers to gain elevated privileges.