Theori's AI Platform Discovers Nine-Year-Old Critical Linux Vulnerability in One Hour
Key Takeaways
- ▸AI-powered Xint Code discovered CVE-2026-31431, a 9-year-old critical Linux kernel vulnerability allowing unprivileged root access in one hour
- ▸The 732-byte exploit works reliably across all major Linux distributions since 2017, affecting Ubuntu, RHEL, Amazon Linux, SUSE and others
- ▸The vulnerability exploits a flaw in the kernel's AEAD cryptographic template, combining AF_ALG sockets and splice() to corrupt memory in setuid binaries
Summary
Theori's Xint Code, an AI-powered vulnerability research platform, discovered CVE-2026-31431 ("Copy Fail"), a critical Linux kernel flaw affecting every major distribution since 2017. The vulnerability allows any unprivileged user to gain root access using a simple 732-byte Python exploit that modifies setuid binaries in memory. The flaw exploits a logic bug in the kernel's cryptographic template layer, combining AF_ALG sockets, the splice() system call, and the authencesn algorithm to achieve deterministic privilege escalation with 100% reliability across Ubuntu, RHEL, Amazon Linux, SUSE, and other distributions.
Theori's AI-powered platform identified the vulnerability in approximately one hour—a stark contrast to the nine-year window it remained hidden in the world's most heavily reviewed codebase. The vulnerability, if weaponized on the dark market, would typically command over $500,000 as a zero-day exploit. A coordinated disclosure timeline shows the kernel community responding swiftly: the flaw was reported March 23, patches proposed within two days, and merged mainline April 1. CVE-2026-31431 was officially assigned April 22, with public disclosure April 29 after distributions had patched.
The discovery underscores how AI is fundamentally reshaping vulnerability research economics. The exploit's elegant simplicity—a logic bug in the kernel's in-place cryptographic optimization—had eluded human researchers for nearly a decade. Researcher Taeyang Lee highlighted the core issue: the kernel's crypto API assumed all AEAD algorithms would confine writes to intended destinations, but the authencesn algorithm wrote 4 bytes past its output boundary, landing directly in the page cache of target files.
- AI tools are now capable of finding high-value security flaws (historically worth $500K+) faster than human researchers, reshaping vulnerability research economics
Editorial Opinion
This discovery signals a seismic shift in cybersecurity research. For nearly a decade, human experts missed a half-million-dollar zero-day hiding in plain sight in the Linux kernel's crypto subsystem—yet AI found it faster than a coffee break. This raises uncomfortable questions: if AI can now discover vulnerabilities at machine speed, how will security teams scale detection before attackers do? The economics of vulnerability trading, once favoring patient human researchers, are about to be rewritten by autonomous AI agents capable of scanning entire codebases for exploitation primitives in minutes.
