The Linux Kernel "Copy Fail" Local Privilege Escalation, tracked as CVE-2026-31431, represents a high-severity vulnerability impacting nearly all mainstream Linux distributions since 2017. Disclosed on April 29, 2026, this flaw allows an unprivileged local user to gain root privileges through a controlled 4-byte write to the kernel's page cache, targeting sensitive system binaries.
Vulnerability Overview
CVE-2026-31431 has been assigned a CVSS v3.1 score of 7.8 (High), reflecting its significant potential for local privilege escalation. The vulnerability, dubbed "Copy Fail" by researchers, is a logic flaw within the Linux kernel's cryptographic subsystem, specifically the algif_aead module, which is part of the AF_ALG (userspace crypto API). Unlike many kernel exploits that rely on race conditions or specific kernel offsets, "Copy Fail" is notably deterministic and reliable across a broad range of affected systems.
Technical Analysis
Flaw Origin: algif_aead Module
The root cause of CVE-2026-31431 lies in an in-place optimization introduced in the Linux kernel in 2017, identified by commit 72548b093ee3. This optimization modified how the algif_aead module handles Authenticated Encryption with Associated Data (AEAD) operations, allowing page-cache pages to be directly used as both source and destination buffers in a writable scatterlist.
Normally, when data from a file's page cache is processed, the kernel ensures that user-space modifications do not corrupt the on-disk file or bypass security restrictions. However, the in-place optimization bypassed these protections within the algif_aead context. When a readable file is spliced into an AF_ALG socket, the kernel passes references to the file's page cache pages. Due to the shared source and destination buffers, these typically read-only page cache pages become unexpectedly writable.
// Simplified conceptual representation of the vulnerable logic
// within algif_aead's in-place operation.
// This illustrates the underlying principle where src and dst
// scatterlists are allowed to overlap without proper protection
// for page cache pages.
static int algif_aead_crypt(struct blkcipher_desc *desc, struct scatterlist *dst,
struct scatterlist *src, unsigned int nbytes)
{
// ...
// Problematic optimization: When 'src' and 'dst' point to the same
// page-cache-backed memory (due to splice() chaining),
// write operations are performed directly without appropriate
// copy-on-write mechanisms for read-only page cache.
if (src == dst) {
// Direct in-place processing without enforcing read-only semantics
// for page cache entries, leading to controlled corruption.
// The underlying authenc(ecb(cipher_null),hmac(sha256))
// algorithm then performs a 4-byte scratch write beyond
// the intended output boundary.
}
// ...
return 0; // Or appropriate error code
}
Exploitation Primitive: Controlled 4-byte Write
Exploitation of CVE-2026-31431 involves chaining an AF_ALG socket operation with splice(). An unprivileged local user can manipulate these kernel interfaces to achieve a controlled 4-byte write into the page cache of any readable file. The typical target for this write primitive is a setuid binary, such as /usr/bin/su. By strategically overwriting a few bytes within the in-memory representation of such a binary, an attacker can inject code that grants root privileges upon its execution.
Crucially, this attack corrupts only the in-memory page cache, leaving the on-disk file untouched. This characteristic makes detection challenging for traditional file integrity monitoring systems that rely solely on on-disk checksums. A public proof-of-concept (PoC) exploit, notably a 732-byte Python script, has been demonstrated to reliably achieve root access on various distributions.
# Illustrative Python PoC snippet (highly simplified)
# Actual exploit code is more involved with socket options, pipe setups,
# and precise splice calls to direct the write.
import socket
import os
import fcntl
# AF_ALG socket creation
alg_socket = socket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET, 0)
# Bind to the vulnerable authenc algorithm
alg_socket.bind(b'aead', b'authenc(ecb(cipher_null),hmac(sha256))')
# Get socket file descriptor
alg_fd = alg_socket.fileno()
# Open the target setuid binary (e.g., /usr/bin/su)
target_path = b'/usr/bin/su'
target_fd = os.open(target_path, os.O_RDONLY)
# Create pipes for splice operations
pipe_r, pipe_w = os.pipe()
# The core exploit logic would involve:
# 1. Setting up AF_ALG socket options to prepare for the "copy fail".
# 2. Splice the target file's pages into the pipe.
# 3. Splice from the pipe to the AF_ALG socket's destination scatterlist,
# triggering the controlled 4-byte write into the page cache.
# 4. Repeated operations to achieve the desired payload in the setuid binary's cache.
# 5. Execute the targeted binary to gain root.
# Example of a splice call (conceptual, not complete exploit)
# fcntl.splice(target_fd, pipe_w, nbytes)
# fcntl.splice(pipe_r, alg_fd, nbytes)
print(f"[*] Targeting {target_path.decode()} for LPE...")
# ... execute crafted payload ...
Affected Systems
The "Copy Fail" vulnerability affects a vast array of Linux systems, specifically those running kernels built since 2017, when the problematic optimization (commit 72548b093ee3) was introduced. This effectively encompasses nearly all modern Linux distributions. The vulnerability has been confirmed on various major distributions, including but not limited to:
| Distribution | Vulnerable Kernel Versions (Example) | Notes |
|---|---|---|
| Ubuntu | 6.17.0-1007-aws (24.04 LTS), and earlier unpatched versions | Affects all Ubuntu releases before Resolute (26.04) that are unpatched. |
| Amazon Linux | 6.18.8-9.213.amzn2023 (AL2023) | AL2023 and AL2 impacted. |
| Red Hat Enterprise Linux (RHEL) | 6.12.0-124.45.1.el10_1 (RHEL 10.1) | RHEL 8, 9, 10, and their derivatives (e.g., AlmaLinux) are affected. |
| SUSE / openSUSE | 6.12.0-160000.9-default (SUSE 16) | SUSE 15, 16 and related versions are affected. |
| Debian | 6.12.73-1 and earlier unpatched versions (Trixie/Testing) | Stable releases (Bullseye, Bookworm) receive fixes via security updates. |
Impact and Risks
The primary impact of CVE-2026-31431 is local privilege escalation, allowing any unprivileged local user to obtain full root access on a vulnerable system. This grants an attacker complete control over the compromised host, enabling them to read sensitive data, install malware, modify system configurations, and pivot to other systems. Organizations should consider using tools like Secably for continuous vulnerability scanning to identify and prioritize affected assets in their environment.
Beyond direct LPE, "Copy Fail" poses a significant threat in containerized and multi-tenant environments. Because the kernel's page cache is shared across all processes on a host, including those within containers, a compromised container can exploit this vulnerability to corrupt setuid binaries visible to other containers and the host kernel. This enables a reliable container escape, allowing an attacker to break out of an isolated container and gain root access on the underlying host. This is particularly dangerous for Kubernetes clusters, CI/CD runners, shared development environments, and cloud notebook platforms. Identifying exposed services and potential entry points into such environments is crucial, a task where platforms like Zondex can provide valuable reconnaissance capabilities.
Mitigation Strategies
Immediate action is required to mitigate the "Copy Fail" vulnerability. The most robust solution is to update the Linux kernel to a patched version that includes the upstream fix. The mainline fix, commit a664bf3d603d, reverts the problematic 2017 optimization and was committed on April 1, 2026. Distributions are rapidly releasing patched kernel packages, and system administrators should apply these updates without delay. A system reboot is essential after applying kernel updates to ensure the new kernel is loaded and active.
For systems where immediate kernel patching is not feasible, interim mitigations can be applied:
- Blacklisting the
algif_aeadKernel Module: Disabling the vulnerable module effectively prevents the exploitation path. This should have minimal impact on most systems, as cryptography operations typically fall back to userspace libraries.
# Create a blacklist configuration file
echo "blacklist algif_aead" | sudo tee /etc/modprobe.d/blacklist-algif_aead.conf
# Update the initial RAM disk to incorporate the blacklist
sudo update-initramfs -u
# Reboot the system to apply the changes
sudo reboot
- Blocking
AF_ALGSocket Creation with Seccomp Policies: For containerized workloads, CI/CD runners, and Kubernetes nodes exposed to untrusted code, implementing strictseccompprofiles to block the creation ofAF_ALGsockets can prevent exploitation. Since the exploit's initial step involves opening anAF_ALGsocket, denying this syscall effectively neutralizes the attack even on unpatched kernels.
# Illustrative seccomp policy snippet (JSON format for container runtimes)
# This policy would be integrated into container definitions (e.g., Docker, Kubernetes)
# to restrict syscalls.
{
"defaultAction": "SCMP_ACT_ALLOW",
"syscalls": [
{
"names": ["socket"],
"action": "SCMP_ACT_ERRNO",
"args": [
{"index": 0, "op": "SCMP_CMP_EQ", "val": 38} // AF_ALG == 38
],
"comment": "Deny AF_ALG socket creation to mitigate CVE-2026-31431"
}
]
}
When conducting security research or testing mitigations for vulnerabilities like "Copy Fail," using secure and isolated network configurations is paramount. Tools such as GProxy can assist in anonymous research and traffic routing, ensuring that sensitive activities are not inadvertently exposed or traced back to the research origin. This is particularly relevant when analyzing public PoCs or attempting to replicate exploitation scenarios in controlled environments.