Copy Fail Vulnerability in Linux Kernel Enables Local Privilege Escalation to Root

The Linux security landscape has been shaken by the discovery of "Copy Fail," a high-severity vulnerability that allows unprivileged local users to gain full root access. Tracked as CVE-2026-31431, this flaw resides in the kernel's cryptographic subsystem and affects nearly every major distribution released since 2017. Security researchers have demonstrated that a tiny 732-byte Python script is enough to compromise systems ranging from Ubuntu to Red Hat Enterprise Linux.

TL;DR

CVE-2026-31431 (Copy Fail) is a Local Privilege Escalation (LPE) flaw in the Linux kernel's algif_aead module. It allows an unprivileged user to write four controlled bytes into the page cache of any readable file, which can be used to hijack setuid binaries and gain root. The vulnerability is highly portable, works across containers, and requires immediate patching across all major Linux distributions.

---

Understanding the Flaw: The algif_aead Logic Error

The vulnerability, discovered by research teams at Xint.io and Theori, stems from a logic flaw within the Linux kernel’s cryptographic subsystem. Specifically, the issue is located in the algif_aead module, which handles Authenticated Encryption with Associated Data (AEAD).

The root cause traces back to a source code commit made in August 2017. This commit introduced an "in-place optimization" that inadvertently allows a page-cache page to be included in the kernel’s writable destination scatterlist for an AEAD operation.

Technical Terminology for Junior Devs:

• Page Cache: A transparent buffer in RAM where the kernel stores data recently read from the disk to speed up subsequent access.
• Setuid Binary: A file that, when executed, runs with the privileges of the file's owner (often root) rather than the user who started it (e.g., /usr/bin/su).
• Scatterlist: A data structure used in the Linux kernel to handle memory that is not contiguous (spread out in different locations).

By exploiting this optimization via an AF_ALG socket (an interface used to access kernel crypto functions from user space), an attacker can use the splice() system call to perform a targeted write into the page cache of a file they do not own.

Impact and Portability

The researchers have codenamed the vulnerability Copy Fail because of its ability to corrupt the cached "copy" of a file in memory. While it bears similarities to the well-known "Dirty Pipe" (CVE-2022-0847) vulnerability of 2022, it exists in a completely different subsystem.

The vulnerability is particularly dangerous for the following reasons:

1. Reliability: Unlike many kernel exploits, Copy Fail does not require a race condition (a situation where the outcome depends on the timing of processes) or a kernel offset.
2. Size: The exploit can be contained in a mere 732-byte Python script.
3. Cross-Container Escape: Because the page cache is an architectural design shared across all processes and namespaces on a system, the exploit can be used to cross container boundaries.
4. Stealth: It allows a low-level account to bypass sandboxing and increase privileges to full administrator access silently.

Distribution Exposure

Since the problematic code was introduced in late 2017, essentially all Linux distributions shipped over the last nine years are vulnerable if they haven't been patched. Confirmed vulnerable distributions include:

• Ubuntu
• Red Hat Enterprise Linux (RHEL)
• Amazon Linux
• SUSE
• Debian
• Arch Linux
• Gentoo
• CloudLinux

The Anatomy of the Exploit

According to the technical analysis, a successful attack involves four primary steps:

1. Opening an AF_ALG socket: The script binds to authencesn(hmac(sha256),cbc(aes)).
2. Shellcode Construction: The attacker prepares a small payload.
3. Page Cache Corruption: The script triggers a write operation to the kernel’s cached copy of a sensitive file, such as /usr/bin/su.
4. Execution: The attacker calls execve("/usr/bin/su"). Since the cached version of the binary in RAM has been modified with the attacker's four bytes, the system executes the injected code with root privileges.

Recommended Actions for Moroccan Sysadmins

For those managing infrastructure in Morocco—whether in local data centers or on cloud providers like AWS—this is a critical update.

• Patch Immediately: All mentioned distributions have released advisories. You must update your kernel to the latest version provided by your vendor.
• Kernel Commit: The fix is associated with Linux kernel commit 72548b093ee3. Ensure your kernel includes this fix.
• Verify Container Hosts: Because the vulnerability is cross-container, patching the host OS is vital to securing all containers running on it.

While the source does not explicitly list the specific patched version numbers for every single distribution, administrators should check their respective package managers (e.g., apt, yum, zypper) for the latest security updates released in April 2026.

Conclusion

Copy Fail represents a significant "primitive" in Linux exploitation—a reliable, tiny, and portable method for gaining root access. The fact that such a small script can compromise the integrity of the page cache across containers makes it a top priority for security practitioners. In a world where we rely on the kernel to enforce strict boundaries between users and processes, CVE-2026-31431 serves as a stark reminder of the long-lasting impact a single optimization commit can have.

Source: The Hacker News - New Linux 'Copy Fail' Vulnerability Enables Root Access on Major Distributions