CVE-2026-31431 Copy Fail Linux Kernel Flaw Enables Local Root Privilege Escalation
CVE-2026-31431, known as Copy Fail, is a Linux kernel local privilege escalation flaw in algif_aead that can allow an unprivileged local user to gain root. CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog.
The issue is not a remote code execution vulnerability by itself. It becomes dangerous when an attacker already has local code execution, a shell account, a compromised container, access to a CI runner, or another foothold on a shared Linux host.
CISA added CVE-2026-31431 to its Known Exploited Vulnerabilities catalog on May 1, 2026. Microsoft described observed exploitation as limited and primarily seen in proof-of-concept testing, but warned that the availability of a working PoC increases the likelihood of broader threat actor use.
Summary
Copy Fail is a high-impact Linux kernel privilege escalation issue because it affects a common kernel interface, requires only low privileges, and does not require user interaction. The CVSS 3.1 score assigned by the kernel.org CNA is 7.8 High with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
The vulnerability matters most for environments where untrusted code can run on a shared kernel. That includes Kubernetes worker nodes, container platforms, build systems, self-hosted CI runners, shared development boxes, jump hosts, research sandboxes, cloud SaaS platforms running user code, and multi-user Linux servers.
Defenders should prioritize kernel updates and vendor-specific mitigations. Where immediate patching is not possible, vendors and advisories recommend disabling or blocking the affected algif_aead/AF_ALG exposure according to distribution guidance.
What happened
The Linux kernel CVE record describes the issue as a vulnerability resolved by reverting algif_aead to operating out-of-place. The kernel.org CNA notes that there is no benefit in operating in-place in algif_aead because the source and destination come from different mappings.
Theori/Xint publicly disclosed the flaw as Copy Fail on April 29, 2026, after reporting it to the Linux kernel security team in March 2026. Theori’s public write-up says the issue stems from an in-place optimization introduced in 2017 that allowed page-cache pages to be placed into a writable scatterlist under specific crypto API behavior.
CISA later added CVE-2026-31431 to the Known Exploited Vulnerabilities catalog with a remediation due date of May 15, 2026, for covered U.S. federal civilian agencies. That KEV entry means CISA has evidence of exploitation in the wild.
Affected products
| Product | Affected versions | Fixed versions | Source notes |
|---|---|---|---|
| Linux kernel | Kernels containing the vulnerable algif_aead in-place behavior introduced in 2017 |
Upstream and stable fixes revert algif_aead to out-of-place operation |
NVD lists kernel.org patches and CVSS 7.8 High |
| Ubuntu | Ubuntu says the vulnerability affects all Ubuntu releases before Resolute 26.04; affected releases include Bionic, Focal, Jammy, Noble, and Questing status entries | Ubuntu released mitigations through kmod; kernel package fixes are handled through Ubuntu security updates |
Ubuntu rates it High and describes it as trivial local privilege escalation |
| Debian | Debian tracker listed vulnerable and fixed package states for Bullseye, Bookworm, Trixie, Forky, and Sid | Debian tracker lists fixed security package versions including Bullseye security, Bookworm security, Trixie security, Forky, and Sid | Check the Debian tracker for exact package versions per release |
| SUSE / openSUSE | SUSE says the issue affects almost all major Linux distributions with Linux kernels 4.14 and newer, including multiple SLES, Micro, Leap, and Liberty Linux versions | SUSE has published multiple advisories and package updates; exact state varies by product | SUSE rates the issue important and lists CVSS 7.8 |
| Amazon Linux | Amazon Linux advisory lists CVE-2026-31431 as Important with CVSS 7.8 | Follow Amazon Linux Security Center guidance for kernel updates and documented mitigations | AWS recommends disabling loading of the affected module where applicable |
| Container and Kubernetes hosts | Hosts are affected when the shared host kernel is vulnerable and untrusted local/container code can reach the vulnerable interface | Patch the host kernel and restrict affected interfaces for untrusted workloads | Microsoft and Theori/Xint both highlight container, CI, and cloud impact |
Technical details
CVE-2026-31431 is a local privilege escalation vulnerability in the Linux kernel crypto subsystem. The affected area is algif_aead, part of the AF_ALG userspace crypto API.
According to the available technical sources, the flaw involves an unsafe in-place operation path where source and destination mappings differ. Under specific use of the kernel crypto interface and page-cache-backed data, the vulnerable logic can allow an unprivileged local process to corrupt the page cache of readable files.
Theori/Xint describes the core primitive as a controlled four-byte write into the page cache. Microsoft describes the impact as corruption of cached content for readable files, including privileged binaries, without modifying the on-disk file. This can lead to execution with root privileges when the affected cached content is later used.
Confirmed technical attributes:
| Field | Detail |
|---|---|
| CVE | CVE-2026-31431 |
| Common name | Copy Fail |
| Vulnerability type | Linux kernel local privilege escalation |
| Affected component | algif_aead / AF_ALG userspace crypto API |
| CVSS 3.1 | 7.8 High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Attack vector | Local |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Impact | High confidentiality, integrity, and availability impact |
| CWE | CWE-669: Incorrect Resource Transfer Between Spheres |
This article intentionally does not include exploit code, payloads, or step-by-step exploitation details.
Exploitation status
CISA has listed CVE-2026-31431 in the Known Exploited Vulnerabilities catalog, which confirms evidence of exploitation in the wild.
Microsoft reported that active exploitation had been limited and primarily observed in proof-of-concept testing at the time of its May 1, 2026 analysis. Microsoft also warned that the availability of a fully working public PoC and the broad Linux exposure could increase exploitation attempts.
Theori/Xint published a public proof of concept for defensive validation. Public PoC availability should not be treated as the same thing as widespread exploitation, but it materially increases operational risk for exposed shared Linux environments.
Impact
Successful exploitation can allow an unprivileged local user to gain root privileges on a vulnerable Linux host. That is serious on any system, but the risk is highest where local execution is expected or easily obtained.
Practical impact includes:
| Scenario | Risk |
|---|---|
| Shared Linux server | A low-privileged user may become root |
| CI/CD runner | Untrusted build or pull-request code may compromise the runner |
| Kubernetes node | A compromised workload may threaten the shared host kernel |
| Multi-tenant container host | One tenant workload may impact the node or other tenants |
| Cloud sandbox or notebook service | User-supplied code may become host-level compromise |
| Post-exploitation chain | Web RCE, stolen SSH credentials, or container access may be upgraded to root |
Microsoft notes that the issue is not remotely exploitable in isolation. Attackers need local code execution or a similar foothold first.
Defender guidance
Prioritize this vulnerability based on where untrusted users or workloads can run code.
Recommended defender actions:
- Patch Linux kernel packages using your distribution’s official security updates.
- Prioritize Kubernetes nodes, container hosts, CI runners, shared servers, developer jump boxes, and any system running untrusted code.
- Apply vendor-documented mitigations if kernel updates are not yet available or cannot be deployed immediately.
- Restrict or block access to affected kernel crypto interfaces for untrusted workloads where supported by your container/runtime policy.
- Review container admission policies and avoid privileged containers for untrusted workloads.
- Recycle or rebuild nodes where exploitation is suspected, especially in containerized and CI environments.
- Treat successful exploitation as root-level host compromise, not merely container compromise.
- Verify kernel package versions after patching and reboot systems where required by the vendor.
Do not rely only on file integrity monitoring for this issue. The attack affects page-cache-backed content in memory, so disk-based checks alone may not show the modification.
Detection and hunting notes
No universal public IOC set is available from the authoritative sources reviewed. Detection should focus on behavior, vulnerable asset exposure, and unusual privilege transitions.
Useful hunting ideas:
| Signal | Type | Notes |
|---|---|---|
Unexpected use of AF_ALG sockets by untrusted user processes |
Behavioral | Prioritize CI runners, containers, shells, and sandbox processes |
algif_aead module loaded on high-risk shared hosts |
Exposure | Treat as urgent when kernel patching is pending |
| Unusual execution of setuid-root binaries after untrusted local process activity | Behavioral | Review authentication and privilege escalation logs |
| Sudden UID 0 process creation from CI, container, or non-admin user context | Behavioral | Investigate as possible local privilege escalation |
| Microsoft Defender detections for Copy Fail exploitation | Product detection | Microsoft lists detections for Defender Antivirus, Defender for Endpoint, Defender for Cloud, and vulnerability management coverage |
| Vulnerable Linux kernel package inventory | Asset exposure | Use distribution trackers and vulnerability management tools to identify affected systems |
For container environments, also review runtime events where untrusted workloads create unusual socket families, execute setuid binaries, or trigger unexpected host-level behavior.
Mitigation
The primary mitigation is to install the fixed kernel packages from your Linux distribution.
Where immediate patching is not possible, use vendor-supported workarounds. Multiple sources recommend disabling or blocking the affected algif_aead exposure, and Theori/Xint also recommends blocking AF_ALG socket creation for untrusted workloads through runtime policy such as seccomp.
Mitigation guidance differs by distribution and architecture. Follow the vendor page for your operating system rather than copying commands from third-party posts.
| Mitigation | When to use | Notes |
|---|---|---|
| Kernel update | Preferred remediation | Apply official distribution security updates and reboot where required |
| Disable affected module | Temporary workaround | Use only vendor-supported instructions for your distro and architecture |
Block AF_ALG for untrusted workloads |
Container/CI hardening | Useful for Kubernetes, CI, sandbox, and shared-code platforms |
| Remove unnecessary shell access | Exposure reduction | Helps reduce local exploitation paths |
| Rebuild suspected hosts | Incident response | Treat suspected exploitation as host-level compromise |
Timeline
| Date | Event |
|---|---|
| 2017 | Vulnerable algif_aead in-place behavior was introduced, according to Theori/Xint’s root-cause analysis |
| 2026-03-23 | Theori/Xint says it reported the issue to the Linux kernel security team |
| 2026-03-24 | Initial acknowledgment received, according to Theori/Xint |
| 2026-03-25 | Patches proposed and reviewed, according to Theori/Xint |
| 2026-04-01 | Patch committed to the mainline kernel, according to Theori/Xint |
| 2026-04-22 | CVE-2026-31431 published by NVD / kernel.org CNA |
| 2026-04-29 | Theori/Xint publicly disclosed Copy Fail |
| 2026-04-30 | Ubuntu published mitigation guidance and CERT-EU issued an advisory |
| 2026-05-01 | CISA added CVE-2026-31431 to the Known Exploited Vulnerabilities catalog |
| 2026-05-04 | Singapore CSA warned that the flaw was actively exploited and that a PoC was publicly available |
| 2026-05-15 | CISA KEV remediation due date for covered U.S. federal civilian agencies |
Bottom line
CVE-2026-31431 is not a network worm and it does not give remote attackers access by itself. That should not make defenders comfortable.
Copy Fail is dangerous because any local foothold on a vulnerable shared Linux kernel may become root. Patch Linux kernels quickly, prioritize shared and containerized environments, apply vendor mitigations where patching is delayed, and treat suspected exploitation as a full host compromise.
Sources
- https://nvd.nist.gov/vuln/detail/CVE-2026-31431
- https://www.cve.org/CVERecord?id=CVE-2026-31431
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-31431
- https://www.microsoft.com/en-us/security/blog/2026/05/01/cve-2026-31431-copy-fail-vulnerability-enables-linux-root-privilege-escalation/
- https://copy.fail/
- https://xint.io/blog/copy-fail-linux-distributions
- https://github.com/theori-io/copy-fail-CVE-2026-31431
- https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available
- https://ubuntu.com/security/CVE-2026-31431
- https://security-tracker.debian.org/tracker/CVE-2026-31431
- https://www.suse.com/security/cve/CVE-2026-31431.html
- https://www.suse.com/c/suse-responds-to-the-copy-fail-vulnerability/
- https://explore.alas.aws.amazon.com/CVE-2026-31431.html
- https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2026-047/
- https://cert.europa.eu/publications/security-advisories/2026-005/
