“Copy Fail” – Linux local privilege escalation vulnerability (CVE-2026-31431)

Summary

Copy Fail is a Linux local privilege escalation vulnerability tracked as CVE-2026-31431 that enables an unprivileged user to gain root access by corrupting the page cache of a setuid binary through abuse of AF_ALG and splice. The flaw has been present in Linux kernels shipped since 2017 and affects all major distributions. Exploitation requires only local code execution and does not depend on network access. In practical terms, the bug can also be used to break out of containers and compromise shared or CI-driven environments.

Investigation

Researchers from Xint Code identified a 732-byte Python proof-of-concept that exploits a logic flaw in the Linux crypto subsystem, specifically within authencesn, and abuses AF_ALG sockets to write attacker-controlled data into a page-cache page. The exploit alters the target setuid binary in memory rather than on disk, allowing the attacker to obtain a real root shell when the binary is executed. The public proof-of-concept was tested successfully against kernels used in Ubuntu, Amazon Linux, RHEL, and SUSE environments.

Mitigation

The main fix is to apply the kernel patch that reverts the 2017 algif_aead in-place optimization introduced by commit a664bf3d603d. Linux vendors are already rolling out patched versions. As an interim safeguard, administrators can blacklist the algif_aead module through modprobe and remove it from the running kernel. For untrusted workloads, blocking AF_ALG socket creation with seccomp provides an additional layer of protection.

Response

Security teams should immediately verify kernel versions and patch status across all Linux systems. Updated kernel packages or vendor backports should be deployed as soon as possible. Where patching cannot happen right away, defenders should blacklist the algif_aead module and enforce seccomp rules that block AF_ALG socket use. Monitoring should also cover suspicious changes involving setuid binaries and execution patterns resembling copy_fail_exp.py or related exploit behavior.