Linux Copy Fail Flaw Lets Local Users Gain Root on Major Distros

A new Linux kernel vulnerability called Copy Fail can let an unprivileged local user gain root access on many mainstream Linux systems. The flaw is tracked as CVE-2026-31431 and affects kernels that include a crypto subsystem change introduced in 2017.

The issue is serious because public proof-of-concept exploit code is already available. Researchers say the exploit works without a race condition, custom offsets, or rebuilding code for each target distribution.

This is not a remote internet exploit by itself. An attacker first needs local code execution or user-level access on the system. That still creates major risk for shared servers, CI runners, build farms, Kubernetes nodes, and cloud environments that run untrusted workloads.

What Copy Fail does

Copy Fail affects the Linux kernel’s algif_aead component, which exposes authenticated encryption functions to user space through the AF_ALG socket interface.

The bug comes from an in-place crypto optimization added years ago. By combining AF_ALG with the splice() system call, an unprivileged user can trigger a small controlled write into the page cache of a readable file.

If that in-memory change affects a setuid-root binary, the attacker can change how the binary behaves when it runs. That can lead to root privileges without changing the file on disk.

At a glance

Item	Details
CVE	CVE-2026-31431
Name	Copy Fail
Component	Linux kernel algif_aead module and AF_ALG crypto interface
Bug type	Local privilege escalation
Severity	High, with CVSS 3.1 score of 7.8 in Ubuntu and CERT-EU advisories
Main risk	Local users or compromised workloads can gain root privileges
Public exploit	Yes

Why the flaw is hard to detect

Theori’s Xint Code research team says the bug can corrupt the page cache without modifying the file stored on disk. That matters because many file-integrity tools compare files on disk.

In simple terms, the system can read and execute the altered in-memory version while the original file still looks clean on disk. This can make normal checksum-based monitoring less useful during exploitation.

Theori compared the issue to earlier Linux privilege escalation flaws such as Dirty COW and Dirty Pipe, but said Copy Fail is easier to use because it does not need timing tricks or system-specific changes.

How researchers found it

The vulnerability was discovered by Theori researcher Taeyang Lee with help from the company’s AI-assisted Xint Code platform. The research focused on the Linux crypto subsystem and how it interacts with page-cache-backed data.

Theori reported the issue to the Linux kernel security team on March 23, 2026. Upstream fixes were committed on April 1, 2026, and public technical details appeared on April 29.

NVD describes the kernel fix as reverting the affected in-place algif_aead behavior. The official CVE record points to Linux stable commits that remove the risky behavior.

Which systems need attention

The affected range covers many mainstream Linux systems using kernels based on versions released since 2017. Researchers confirmed the issue on Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16.

Ubuntu says all Ubuntu releases before 26.04 are affected or need mitigation in some form, although the status depends on the kernel package in use. SUSE also said Linux kernels 4.14 and newer are affected across many product lines.

Patch availability is moving quickly. AlmaLinux released patched kernels to production repositories on May 1, while Ubuntu published a kmod-based mitigation and kernel fix guidance. Amazon Linux still listed affected kernel packages as pending fix in its advisory at the time checked.

Why containers and CI systems face extra risk

Copy Fail becomes more dangerous on systems that run code from many users or customers. A developer machine is at risk if malware already runs locally, but shared infrastructure gives attackers more chances to reach the vulnerable path.

Container platforms need special care because the page cache is shared by the host. Theori says the bug can cross container boundaries, and Ubuntu says container deployments that run potentially malicious workloads may face container-escape risk.

Microsoft also warned defenders to treat container remote code execution as possible host compromise when Copy Fail exposure exists. That makes fast node patching and recycling important for cloud and Kubernetes teams.

What administrators should do now

• Check your Linux distribution’s CVE-2026-31431 advisory before applying any workaround.
• Install patched kernel packages as soon as your vendor provides them.
• Reboot after kernel updates so the fixed kernel actually loads.
• Prioritize multi-tenant servers, CI runners, build farms, container hosts, and Kubernetes nodes.
• Block or disable the affected AF_ALG path only if your vendor recommends that mitigation for your distro.
• Review systems that allowed untrusted local users or workloads before patching.
• Do not rely only on disk checksum tools to detect exploitation.

Be careful with generic mitigation commands

Some early guidance suggested disabling the algif_aead module through modprobe rules. That may work on some systems, but it does not work everywhere.

CloudLinux warned that the modprobe-based workaround does not work on CloudLinux, AlmaLinux, or other RHEL-family systems where algif_aead is built into the kernel. Running those commands on those systems can create a false sense of safety.

The safest option is to follow your vendor’s advisory, confirm the running kernel version after reboot, and verify whether the mitigation or patch actually applies to your system.

FAQ