A newly disclosed Linux kernel vulnerability dubbed Copy Fail (CVE-2026-31431) enables any unprivileged local user to obtain root access on essentially every major Linux distribution shipped since 2017. Unlike many high-profile kernel exploits before it, Copy Fail requires no race conditions, no compiled payloads, and no distribution-specific offsets. A single 732-byte Python script is sufficient to corrupt a setuid binary in memory and escalate privileges deterministically — on Ubuntu, Amazon Linux, RHEL, and SUSE alike. Disclosed by Xint Code Research Team, with the initial insight coming from Theori researcher Taeyang Lee, this vulnerability represents a significant threat to Linux deployments everywhere, including containerized and Kubernetes environments.
What Is Copy Fail and Why Does It Stand Out?
Copy Fail is a logic bug in the Linux kernel's authencesn cryptographic template, a component of the kernel's AEAD (Authenticated Encryption with Associated Data) subsystem. The flaw allows an attacker to trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system — without any write permissions on that file.
Previous high-profile Linux privilege escalation vulnerabilities set a high bar for complexity. Dirty Cow (CVE-2016-5195) required winning a VM subsystem race condition and frequently needed multiple attempts, sometimes crashing the target system in the process. Dirty Pipe (CVE-2022-0847) was version-specific and demanded precise pipe buffer manipulation. Copy Fail is different in every meaningful way:
- Deterministic: The exploit is a straight-line logic flaw. No races, no retries, no timing windows.
- Portable: The same unmodified Python script works across Ubuntu, Amazon Linux, RHEL, and SUSE on all tested architectures. No per-distro offsets or recompilation required.
- Tiny: The entire exploit is a short Python script relying only on standard library modules —
os,socket, andzlib. It requires Python 3.10+ foros.splice. No compiled payloads, no dependency installation. - Stealthy: The corrupted page is never marked dirty by the kernel's writeback machinery. On-disk file integrity tools and checksum comparisons will not detect the modification because the file on disk remains unchanged — only the in-memory page cache is altered.
- Cross-container: Because the page cache is shared across all processes on a host, including across container boundaries, this is not only a local privilege escalation but also a container escape primitive and a Kubernetes node compromise vector.
The Root Cause: Page Cache Pages in a Writable Scatterlist
AF_ALG is a Linux socket type that exposes the kernel's crypto subsystem to unprivileged userspace. Any user can open an AF_ALG socket, bind it to an AEAD template, and invoke encryption or decryption operations on arbitrary data — no special privileges required.
The vulnerability chains two kernel primitives. First, splice() transfers data between file descriptors and pipes without copying, passing page cache pages by reference. When a user splices a readable file into a pipe and then into an AF_ALG socket, the socket's input scatterlist holds direct references to the kernel's cached pages of that file. These pages are not duplicated — the scatterlist entries point to the same physical memory that backs every read(), mmap(), and execve() of that file system-wide.
For AEAD decryption, the input is structured as AAD (associated authenticated data) followed by ciphertext followed by an authentication tag. Inside algif_aead.c, the kernel's recvmsg() sets up the operation in-place, meaning the same scatterlist serves as both input and output. The AAD and ciphertext are copied into the output buffer via memcpy_sglist — a real copy that only reads the page cache pages. However, the authentication tag at the end of the input scatterlist is not copied. Instead, the kernel chains those tag scatterlist entries directly onto the output scatterlist using sg_chain().
The result is an output scatterlist containing two regions: a legitimate user-controlled receive buffer holding the copied AAD and ciphertext, followed by the chained tag pages that still reference the original page cache pages of the target file. Both req->src and req->dst are set to the head of this combined chain. Page cache pages now sit inside a writable scatterlist, separated from the intended write region by nothing but an offset boundary that no enforcement mechanism protects.
The Trigger: authencesn's Scratch Write
The Linux AEAD API carries an implicit contract for decryption: the destination buffer receives only the plaintext output, and nothing outside that buffer is written. Every AEAD algorithm is expected to honor this boundary. The API does not enforce it, and it is not documented as a hard requirement.
authencesn breaks this silent invariant. During its decryption operation, it performs a small scratch write — 4 bytes — at a position calculated relative to the start of its scatterlist. When the authentication tag pages have been chained onto the output scatterlist in the manner described above, this scratch write lands inside the page cache of the spliced-in file rather than in the user's receive buffer. The write is deterministic: an attacker who controls the splice offset and the authentication tag length controls precisely where those 4 bytes land within the target file's cached pages.
A local unprivileged user can exploit this by targeting the page cache of a setuid binary such as /usr/bin/sudo or /bin/su. By overwriting 4 bytes at the right offset, the attacker modifies the binary's in-memory behavior without altering the on-disk copy. Because the page cache is what execve() reads, the corrupted version executes immediately system-wide for any user who invokes the binary.
Affected Systems and Scope
The authencesn template and AF_ALG socket interface have been present in the mainline Linux kernel since at least 2017. Every distribution that ships a kernel from that era onward is affected if it includes AF_ALG support — which is essentially all of them by default. Confirmed affected distributions include:
- Ubuntu (all supported LTS and non-LTS releases)
- Amazon Linux 2 and Amazon Linux 2023
- Red Hat Enterprise Linux (RHEL) and CentOS Stream
- SUSE Linux Enterprise and openSUSE
The cross-container impact significantly amplifies the risk in cloud and enterprise environments. Because the Linux page cache is shared across namespaces, a compromised container running as an unprivileged user can use Copy Fail to corrupt the page cache of the container host's setuid binaries, achieving a full container escape without any container runtime vulnerability. Kubernetes node compromise is a direct downstream consequence. Xint Code has indicated that Part 2 of their disclosure series will detail this Kubernetes attack path.
Detection and Stealth Characteristics
Standard file integrity monitoring solutions that hash on-disk content — including tools like AIDE, Tripwire, and most EDR file-system watchers — will not detect a Copy Fail attack. The on-disk inode and file data are never written. The kernel does not mark the affected page dirty for writeback, so no write I/O is issued and no journal entry is generated. The attack surface visible to defenders is limited to:
- AF_ALG socket creation followed by unusual splice sequences in system call traces
- In-memory page cache integrity checks (not performed by most standard tools)
- eBPF-based monitoring of
algif_aeadoperations correlated with splice syscalls against executable files
Organizations relying solely on file hash comparisons against a known-good baseline should treat any unpatched system as potentially compromised if it has been accessible to local unprivileged users.
Remediation
The fix addresses the root cause by ensuring that authencesn does not perform any writes outside the designated output buffer during decryption, eliminating the out-of-bounds scratch write. Kernel maintainers have accepted the patch. Distribution vendors are issuing updates through their standard security channels.
All systems running Linux kernel versions that include the authencesn AEAD template should apply available security updates immediately. Given the zero-prerequisites nature of this exploit and the availability of a public PoC, treat this as an urgent patch priority on any multi-user or container-hosting system.
Immediate mitigation steps for organizations that cannot patch immediately include:
- Restrict AF_ALG socket creation using seccomp filters or LSM policies where feasible
- Deploy kernel live-patching solutions if available for your distribution
- Monitor for unusual AF_ALG + splice syscall combinations in EDR or auditd logs
- Consider restricting local shell access on sensitive or multi-tenant systems until patching is complete
How It Was Found: AI-Assisted Vulnerability Research
Copy Fail was AI-assisted research, beginning with an insight from Theori researcher Taeyang Lee, who was studying how the Linux crypto subsystem interacts with page-cache-backed data. He used Xint Code to scale his analysis across the entire crypto subsystem, and Copy Fail was the most critical finding in the resulting report. This disclosure is an early example of AI tooling meaningfully accelerating deep kernel vulnerability research — a trend security teams should expect to see more of on both the offensive and defensive sides.
Conclusion
CVE-2026-31431 Copy Fail is among the most impactful Linux kernel privilege escalation vulnerabilities disclosed in years. Its combination of portability, determinism, stealth, and cross-container scope makes it a high-priority remediation target for any organization running Linux, from single servers to sprawling Kubernetes clusters. The 732-byte exploit sets a new low bar for the effort required to go from unprivileged shell access to root — and the in-memory-only nature of the attack means defenders relying on file integrity tooling alone are flying blind. Patch immediately, monitor for AF_ALG abuse, and watch for Part 2 of Xint Code's disclosure covering the full Kubernetes node escape chain.