A newly disclosed Linux kernel vulnerability — CVE-2026-31431, nicknamed Copy Fail — allows any unprivileged local user to obtain root on virtually every major Linux distribution shipped since 2017. Discovered by Xint Code Research in collaboration with Theori researcher Taeyang Lee, the exploit fits in a 732-byte Python script, requires no compiled payloads, no race conditions, and no per-distribution tuning. It works identically on Ubuntu, Amazon Linux, RHEL, and SUSE. It also crosses container boundaries, making it a Kubernetes node compromise vector.

What Is Copy Fail and Why Does It Stand Apart?

High-profile Linux privilege escalation bugs have a history of requiring finesse. Dirty Cow (CVE-2016-5195) needed a race condition in the VM subsystem's copy-on-write path — multiple attempts, timing windows, and occasional system crashes. Dirty Pipe (CVE-2022-0847) was version-gated and required careful pipe buffer manipulation.

Copy Fail is a straight-line logic flaw. There are no races to win, no retries, and no timing windows to hit. The write is deterministic. The script runs once and succeeds.

• Portable: No per-distro offsets, no version checks, no recompilation. The same script runs on every tested distribution and architecture.
• Tiny: 732 bytes of Python using only the standard library (os, socket, zlib). Python 3.10+ is the only requirement, for os.splice.
• Stealthy: The corrupted page is never marked dirty by the kernel's writeback machinery. The on-disk file is untouched. Standard integrity tools that compare on-disk checksums will not detect the modification.
• Cross-container: Because the page cache is shared across all processes on a host, Copy Fail breaks container isolation and serves as a Kubernetes escape primitive.

The Root Cause: Page Cache Pages in a Writable Scatterlist

AF_ALG is a kernel socket type that exposes the cryptographic subsystem to unprivileged userspace. Any user can open an AF_ALG socket, bind it to an AEAD (Authenticated Encryption with Associated Data) template, and invoke encryption or decryption on arbitrary data — no privileges required.

The other ingredient is splice(), which transfers data between file descriptors and pipes without copying, passing page cache pages by reference. When an attacker splices a target file into a pipe and then into an AF_ALG socket, the socket's input scatterlist holds direct references to the kernel's cached pages of that file. These are not copies — the scatterlist entries point at the same physical pages that back every read(), mmap(), and execve() call against that file system-wide.

For AEAD decryption, algif_aead.c sets up the operation in-place: the same scatterlist serves as both input and output. The AAD and ciphertext are byte-copied from the input scatterlist into the output buffer via memcpy_sglist — a legitimate copy that only reads the page cache pages. But the authentication tag, the trailing authsize bytes of the input, is not copied. Instead, the kernel chains those scatterlist entries directly onto the end of the output scatterlist using sg_chain():

The output scatterlist ends up with two regions: the user's recvmsg buffer holding copied AAD and ciphertext, followed by the chained tag pages that still reference the original page cache pages of the target file. Both req->src and req->dst point at the head of this combined chain.

This in-place design places page cache pages inside a writable scatterlist. Nothing in the API enforces that every AEAD algorithm will confine its writes to the intended destination, and nothing documents that requirement. One algorithm breaks this silent invariant entirely.

The Trigger: authencesn's Scratch Write

The authencesn AEAD template is the specific component that violates the invariant. During decryption, authencesn writes intermediate cryptographic state — a scratch value — into the scatterlist at a calculated offset. Because the output scatterlist now includes the chained page cache pages, that scratch write lands directly in the kernel's in-memory representation of the target file.

The result is a controlled 4-byte write into the page cache of any file the attacker can read. Since setuid binaries are world-readable, the attacker chooses one, patches 4 bytes in its in-memory image to disable a permission check or redirect execution, and then triggers it. The binary runs as root. The on-disk file remains byte-for-byte identical to the original.

Exploitation: From 4 Bytes to Root

Translating a 4-byte arbitrary page cache write into privilege escalation is straightforward with a setuid binary as the target. The attacker's workflow is:

• Identify a setuid binary and locate the exact file offset of a branch or permission check to overwrite.
• Splice the file into a pipe to populate the AF_ALG input scatterlist with the target's page cache pages.
• Initiate an AEAD decryption request crafted so that authencesn's scratch write falls at the desired 4-byte offset within the target page.
• Execute the now-corrupted setuid binary. The kernel's page cache serves the corrupted in-memory version, which executes with root privileges.

Because the page cache is global and shared across namespace boundaries, the same write is immediately visible to every process on the host — including those inside containers. The researchers note that Part 2 of this series will cover the full Kubernetes node compromise path enabled by this primitive.

Detection Gaps and Why Traditional Integrity Tools Miss It

The stealth characteristic of Copy Fail deserves specific attention for defenders. Tools like AIDE, Tripwire, and similar file integrity monitors work by hashing files on disk and comparing against a known baseline. Because the kernel never marks the corrupted page dirty, no writeback occurs, and the on-disk file remains unchanged. Hash comparisons against the filesystem will always return clean.

Detection requires monitoring the page cache directly, comparing in-memory file content against trusted on-disk copies, or detecting the anomalous AF_ALG + splice() usage pattern at the system call level. eBPF-based runtime security tools that trace splice() calls into AF_ALG sockets are a more effective detection surface than traditional HIDS approaches for this class of bug.

Affected Systems and Remediation

CVE-2026-31431 affects the Linux kernel's authencesn template and is exploitable on systems running kernels shipped since 2017. The researchers confirmed root exploitation on:

• Ubuntu (multiple LTS versions)
• Amazon Linux
• Red Hat Enterprise Linux (RHEL)
• SUSE Linux Enterprise

Remediation requires applying the kernel patch issued by the Linux kernel security team, which fixes the in-place scatterlist construction in algif_aead.c to prevent page cache pages from appearing in the writable output scatterlist. Distribution-specific advisories are being coordinated through the standard Linux security disclosure process.

As a temporary mitigation where patching is not immediately possible, disabling AF_ALG socket access for unprivileged users via seccomp policy or restricting splice() calls into AF_ALG sockets at the LSM layer reduces exposure, though neither constitutes a complete fix.

How It Was Found: AI-Assisted Vulnerability Research

The discovery of Copy Fail illustrates an emerging research methodology. The initial insight came from Theori researcher Taeyang Lee, who was manually studying how the Linux crypto subsystem interacts with page-cache-backed data. Rather than manually auditing every AEAD template against this hypothesis, Lee used the Xint Code AI security research platform to scale the analysis across the entire crypto subsystem. Copy Fail emerged as the most critical finding in that automated survey.

This pattern — human researcher identifies a promising attack surface, AI tooling exhaustively enumerates instances — is increasingly common in high-quality vulnerability research and is likely to surface more bugs in large, complex kernel subsystems that are difficult to audit manually at scale.

Conclusion

CVE-2026-31431 is a textbook example of a dangerous design-level assumption becoming an exploitable invariant violation. The authencesn scratch write has presumably existed in the kernel for years; it became critical only when paired with the realization that AF_ALG + splice() can populate a writable scatterlist with page cache pages that back world-readable setuid binaries.

The combination of determinism, portability, stealth, and cross-container reach makes Copy Fail one of the more impactful Linux local privilege escalation vulnerabilities in recent years. Organizations running Linux workloads — particularly those operating multi-tenant Kubernetes clusters — should treat this as a critical patch priority and validate that their runtime detection tooling is capable of identifying page-cache-level tampering, not just on-disk file changes.