The Copy Fail vulnerability, tracked under the code CVE-2026-31431 in the Linux kernel, has emerged as a serious local privilege escalation issue affecting many mainstream Linux distributions released since 2017. The vulnerability discovered by Theori and Xint Code opens the door for an attacker with a standard user account to gain root privileges. The vulnerability was announced to the public on April 29, 2026, and it was confirmed that its CVSS score was 7.8 and was classified at a high level.
What makes Copy Fail stand out is that there is no race condition, distribution-specific memory address, or need for precise timing seen in many Linux privilege escalation vulnerabilities. According to the researchers, the root shell could be obtained by running the same short Python PoC script on Ubuntu, Amazon Linux, RHEL and SUSE. The vulnerability is caused by a logic error in the algif_aead module in the cryptography subsystem of the Linux kernel.
Why is the Copy Fail vulnerability critical for Linux servers? Copy Fail arises from an error chain in the Linux kernel where the authencesn cryptographic template, the AF_ALG interface and the splice() mechanism are used together. Even if the attacker only has a normal user account in the system, he can write 4 bytes to the kernel’s page cache area in a controlled manner. This area works as a high-speed cache layer where Linux keeps files in RAM.
When a binary file with setuid permission, such as /usr/bin/su, is selected as the target, the copy in RAM can be manipulated without changing the file on disk. This point is one of the most critical aspects of the vulnerability. Because the change is not written directly to the file on disk, classic integrity checks may show that the file is identical to the official package hash. However, since the system uses the copy in the page cache when running the program, the attacker can gain root privilege.
This temporary change disappears by restarting the system or clearing the cache under memory pressure; However, the root shell obtained by the attacker is real. The history of the vulnerability dates back to an in-place optimization added to the Linux kernel in 2017. This change weakened the secure separation between source and target data paths on the algif_aead side. In Linux kernel CVE records, the bug is associated with commit 72548b093ee3 introduced in the 4.14 release line; The main fix came with commit a664bf3d603d.
The Ubuntu security record also states that the solution was achieved by switching to “out-of-place” operation on the algif_aead side. Copy Fail is not a vulnerability that can be operated remotely on its own. The attacker must first be able to run code on the system or gain access to the regular user account. However, when this condition is met, the risk increases. Shared development machines, jump hosts, build servers, CI runners, Kubernetes nodes, container clusters, notebook services, agent sandboxes and cloud platforms that run user code are among the riskiest areas.
Because containers share the same host kernel and page cache infrastructure; This turns the vulnerability into a privilege escalation vector that extends outside the container. Researchers directly confirmed the vulnerability on Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1 and SUSE 16. Other distributions using affected kernels such as Debian, Arch, Fedora, Rocky Linux, AlmaLinux, Oracle Linux and embedded Linux systems are also considered in scope.
The determining factor here is not the distribution name, but the kernel version used and whether the relevant fix is included in the package. According to the timeline, the vulnerability was reported to the Linux kernel security team on March 23, 2026. Initial approval came on March 24, patches were recommended and reviewed on March 25, the main fix entered the mainline kernel on April 1, the CVE-2026-31431 registry was assigned on April 22, and the public announcement was made on April 29.
It is stated that the findings were revealed by artificial intelligence-supported Xint Code scanning; However, the research started from Theori researcher Taeyang Lee’s technical observation about the relationship between the Linux crypto subsystem and page cache-supported data paths. The primary step for system administrators is to switch to the current kernel package provided by the distribution. It is reported that the fix came to the main line with commit a664bf3d603d, and is included in some stable kernel branches in fixed versions such as 6.18.22 and 6.19.12.
In systems where the update cannot be made immediately, disabling the algif_aead module stands out as a temporary measure. If the module is loaded dynamically, a rule that prevents algif_aead loading can be added to /etc/modprobe.d/disable-algif.conf and the current module can be removed. This temporary measure may not give the same result for every system. In some enterprise kernel configurations, the relevant component may be embedded directly into the kernel, rather than as a module.
In this scenario, removing the module will not work and different methods such as blocking with the boot parameter may be required. In environments running Untrusted workload, it is recommended to limit AF_ALG socket creation access with mechanisms such as seccomp, even after the patch. The practical effect of Copy Fail may be more limited for desktop users. Because the attacker must first run native code. However, the risk level is much higher for multi-user servers, self-hosted CI runners, container-based services and cloud environments.
For this reason, in infrastructures using Linux, the kernel version and distribution security patches must be checked immediately.
Comments
You can write your views about this story. Comments may be moderated according to site settings.