CVE-2026-31431 "Copy Fail": Linux Kernel LPE Flaw Explained

Summary

On April 29, 2026, researchers publicly disclosed CVE-2026-31431, a high-severity Linux kernel local privilege escalation flaw nicknamed "Copy Fail" and rated CVSS 7.8. The bug lives in the kernel's algif_aead userspace crypto interface and lets any unprivileged local user corrupt the page cache backing setuid binaries, producing a root shell in seconds. Working exploits have been confirmed on Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16, and a roughly 700-byte public proof-of-concept is already available — making this one of the more dangerous Linux LPE bugs in recent memory.

What went wrong

The defect is a logic error that sat dormant in the kernel for almost a decade. Back in 2017, commit 72548b093ee3 moved AEAD (Authenticated Encryption with Associated Data) operations in algif_aead to in-place processing. That change set req->src = req->dst and used sg_chain() to splice the tag pages from the source scatterlist into the output scatterlist.

The danger appears when a process feeds an AF_ALG socket using splice(). Under that path, the tag pages no longer point at a private kernel buffer — they reference the page cache of the spliced file. When the authencesn(hmac(sha256),cbc(aes)) algorithm runs, it writes four bytes at offset assoclen + cryptlen as scratch space while rearranging the IPsec Extended Sequence Number. Because the output scatterlist now reaches into page-cache pages, that four-byte scratch write lands directly inside the in-memory copy of the spliced file — sidestepping every file permission check.

Critically, the AEAD operation fails (HMAC verification does not pass) and the kernel never marks the page dirty, so the on-disk file is untouched and integrity tools that checksum the disk see nothing. But the page cache is what actually gets executed, so the tampering is what matters.

The upstream fix shipped in early April 2026 in the series ending at commit fafe0fa2995a, which — as the NVD entry describes — reverts the in-place behavior: "crypto: algif_aead - Revert to operating out-of-place. This mostly reverts commit 72548b093ee3 except for the copying of the associated data."

Affected and fixed versions

Vulnerable: Linux kernel 4.14 through 7.0-rc; all 6.18.x before 6.18.22; all 6.19.x before 6.19.12
Fixed: Linux 7.0, 6.19.12, 6.18.22
Downstream backports at risk: older LTS lines including 6.12.x, 6.6.x, 5.15.x, and 5.10.x

Note a timeline detail: the original write-up stated CVE-2026-31431 was not yet in the CISA Known Exploited Vulnerabilities catalog at publication. However, CISA added it to the KEV catalog on May 1, 2026 based on evidence of active exploitation, so it should now be treated as a known-exploited bug.

How the exploit works

The public PoC — published as theori-io/copy-fail-CVE-2026-31431 — is about 700 bytes of Python and chains three primitives:

Bind an AF_ALG socket to authencesn(hmac(sha256),cbc(aes)).
Splice the page-cache pages of a setuid binary such as /usr/bin/su into the crypto pipeline with splice().
Trigger a recvmsg() whose AAD bytes 4–7 carry the four-byte payload that the authencesn scratch write deposits into the target page.

HMAC verification fails as designed, but the corruption already written into the page cache stays put. By repeating the primitive at successive offsets, an attacker stages small shellcode into the cached pages of /usr/bin/su. Running su afterward executes the poisoned cached copy and returns a root shell. The attacker controls the target file, the write offset, and the four-byte payload value. The exploit relies only on standard syscalls — socket, setsockopt, splice, sendmsg, and recvmsg — and on an algorithm present in default kernel configurations, so it works on unmodified enterprise distributions without recompilation or per-distro tuning.

A detection-only checker for sysadmins is available at liamromanis101/CVE-2026-31431-Copy-Fail---Vulnerability-Detection-Script, useful for finding hosts that are still vulnerable before or after patching.

Copy Fail vs. Dirty Pipe

Anyone who remembers Dirty Pipe (CVE-2022-0847) will spot the family resemblance: both abuse page-cache corruption to escalate privileges. The differences, though, are what make Copy Fail nastier:

Dirty Pipe depended on careful pipe-buffer manipulation, version-specific targeting, and timing-sensitive races that could destabilize the system.
Copy Fail is a straight-line logic flaw. It fires reliably across distributions with no race conditions and no crash-prone timing windows, using only ordinary syscalls and a default-enabled algorithm.

Impact and attack scenario

Any local unprivileged user on a vulnerable kernel can reach full root. There's no standalone remote vector — an attacker must already have code execution on the box, whether via direct access, a compromised container, or a prior bug such as a web-app exploit. Once that foothold exists, Copy Fail offers a near-instant, dependable route to root.

Shared-kernel and multi-tenant environments deserve particular concern. CI/CD runners, container hosts, and multi-tenant VMs where workloads from different teams share one kernel are all exposed if the host kernel is unpatched. A container that escapes its namespacing, or a low-privilege developer with shell access, can become root before any alert fires.

Detection

The Sysdig Threat Research Team analyzed the bug and shipped runtime detection: Sysdig Secure customers are covered automatically by the rule "AF_ALG Page Cache Poisoning Leading to Privilege Escalation" in the Sysdig Runtime Behavioral Analytics managed policy.

For open-source Falco users, detection focuses on spotting unexpected processes that open AF_ALG SOCK_SEQPACKET sockets — the mandatory first step of the exploit. The useful insight is that the SOCK_SEQPACKET socket type filters out almost all legitimate AF_ALG consumers (hashing and symmetric crypto), which use SOCK_DGRAM. Known-legitimate binaries include cryptsetup, systemd-cryptsetup, veritysetup, and the kcapi-* utilities. A Falco rule can flag any process outside that allowlist that creates an AF_ALG AEAD crypto socket, recording the process name, parent process, user, PID, and executable path. Environments using Kernel TLS (kTLS) may need tuning, since kTLS can generate similar socket activity from legitimate processes.

Mitigation

Patch now. Upgrade to Linux 7.0, 6.19.12, or 6.18.22, and track your distribution's advisories for backports to the 6.12.x, 6.6.x, 5.15.x, and 5.10.x LTS lines.
Restrict AF_ALG socket creation. Use seccomp profiles or SELinux/AppArmor policies to block AF_ALG socket creation for unprivileged workloads that don't need crypto hardware offload via AF_ALG.
Deploy runtime detection. Enable Falco with the AF_ALG SEQPACKET rule, or rely on Sysdig Secure's managed policy.
Audit shared-kernel hosts. Confirm Kubernetes nodes, CI runners, and multi-tenant VMs are on patched kernels before any untrusted code runs.

Bottom line

CVE-2026-31431 "Copy Fail" shows how a well-intentioned performance optimization can lie dormant for nearly ten years and then become a critical liability. Its reliability, low complexity, and broad distribution coverage put it among the most serious local privilege escalation flaws disclosed recently, and with a public PoC available — plus its addition to CISA's KEV catalog — exploitation is no longer theoretical. Patch urgently, layer in runtime detection, and review exposure across every shared-kernel system without delay.