CVE-2026-31431 "Copy Fail": Linux Kernel LPE Flaw Explained

CVE-2026-31431 "Copy Fail": What You Need to Know

On April 29, 2026, researchers at Theori publicly disclosed CVE-2026-31431, a high-severity Linux kernel vulnerability rated CVSS 7.8 and nicknamed "Copy Fail." The flaw resides in the algif_aead userspace cryptography interface and enables any unprivileged local user to corrupt the page cache backing setuid binaries — achieving a root shell in seconds. Working exploits have been confirmed against Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16. For organizations running Linux workloads in the cloud or on-premises, this vulnerability demands immediate attention.

Root Cause: A Nine-Year-Old Optimization Gone Wrong

The vulnerability traces back to 2017, when commit 72548b093ee3 switched AEAD (Authenticated Encryption with Associated Data) operations to in-place processing inside the kernel's algif_aead module. This optimization set req->src = req->dst and chained tag pages from the source scatterlist into the output scatterlist via sg_chain().

The problem surfaces when userspace feeds the AF_ALG socket through splice(). Those tag pages end up referencing the page cache of the spliced file rather than a private kernel buffer. The authencesn(hmac(sha256),cbc(aes)) algorithm then writes four bytes at offset assoclen + cryptlen as scratch space for Extended Sequence Number rearrangement — and because the output scatterlist now extends into page cache pages, that write lands directly inside the in-memory representation of the spliced file, bypassing all file permission checks.

A fix was included in the patch series ending with commit fafe0fa2995a in early April 2026, effectively reverting the near decade-old in-place optimization.

Affected Versions

Vulnerable: Linux kernel 4.14 through 7.0-rc; all 6.18.x prior to 6.18.22; all 6.19.x prior to 6.19.12
Fixed: Linux 7.0, 6.19.12, 6.18.22
Downstream backports at risk: Older LTS lines including 6.12.x, 6.6.x, 5.15.x, and 5.10.x

At the time of publication, CVE-2026-31431 has not been listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, but the availability of a public proof-of-concept significantly raises the risk profile.

How the Exploit Works

The public proof-of-concept (PoC) — available at theori-io/copy-fail-CVE-2026-31431 — is approximately 700 bytes of Python and chains three primitives:

Step 1: Bind an AF_ALG socket to authencesn(hmac(sha256),cbc(aes)).
Step 2: Use splice() to map page cache pages of /usr/bin/su (a setuid binary) into the crypto pipeline.
Step 3: Issue a recvmsg() whose AAD bytes 4–7 supply the four-byte payload that the authencesn scratch write deposits into the target page.

The HMAC verification fails as expected — but the corruption in the page cache persists. Repeating the primitive at successive offsets allows the attacker to stage a small shellcode into the cached pages of /usr/bin/su. Executing su afterward runs the patched binary from cache and yields a root shell. The attacker has full control over the target file, the write offset, and the four-byte payload value.

Copy Fail vs. Dirty Pipe: A Key Comparison

Security professionals familiar with Dirty Pipe (CVE-2022-0847) will notice surface-level similarities — both abuse kernel page cache corruption to escalate privileges. However, the differences are significant:

Dirty Pipe required precise pipe buffer manipulation and version-specific targeting, with timing-sensitive races that could cause instability.
Copy Fail is a straight-line logic flaw. It triggers reliably across distributions without race conditions or crash-prone timing windows, using only standard syscalls: socket, setsockopt, splice, sendmsg, and recvmsg.

Because it depends solely on an algorithm present in default kernel configurations and requires no additional kernel modules, Copy Fail works on unmodified enterprise distributions out of the box.

Impact and Attack Scenario

Any local unprivileged user on a vulnerable kernel can achieve full root access. There is no standalone remote vector — an attacker must first obtain code execution on the target machine, whether through direct access, a compromised container, or a prior vulnerability such as a web application exploit. Once that initial foothold exists, Copy Fail provides a near-instant, reliable path to root.

Cloud environments are particularly relevant: multi-tenant systems, shared CI/CD runners, and container hosts where workloads from different teams share a kernel are all exposed if the host kernel is unpatched. A compromised container that escapes namespacing, or a low-privilege developer with shell access, can become root before a detection alert fires.

Detection: Falco and Sysdig Secure

The Sysdig Threat Research Team has analyzed CVE-2026-31431 and deployed runtime detection. Sysdig Secure customers are automatically covered by the rule "AF_ALG Page Cache Poisoning Leading to Privilege Escalation" within the Sysdig Runtime Behavioral Analytics managed policy.

For open source Falco users, detection centers on identifying unexpected processes opening AF_ALG SEQPACKET sockets — the mandatory first step of this exploit. The key insight is that SOCK_SEQPACKET type filters out the vast majority of legitimate AF_ALG users (hashing, symmetric crypto operations), which use SOCK_DGRAM instead. A list of known legitimate binaries includes tools like cryptsetup, systemd-cryptsetup, veritysetup, and kcapi-* utilities.

The Falco rule flags any process outside that known allowlist that creates an AF_ALG AEAD kernel crypto socket, capturing the process name, parent process, user, PID, and executable path. Note that environments using Kernel TLS (kTLS) may require tuning, as kTLS adoption is increasing and can produce similar socket activity from legitimate processes.

Recommended Mitigations

Patch immediately: Upgrade to Linux 7.0, 6.19.12, or 6.18.22. Track your distribution's security advisories for backported fixes to 6.12.x, 6.6.x, 5.15.x, and 5.10.x LTS lines.
Restrict AF_ALG socket creation: Use seccomp profiles or SELinux/AppArmor policies to block AF_ALG socket creation for unprivileged workloads where crypto hardware offload via AF_ALG is not required.
Deploy runtime detection: Enable Falco with the AF_ALG SEQPACKET detection rule or rely on Sysdig Secure's managed policy for automated coverage.
Audit container hosts: Ensure shared-kernel environments — Kubernetes nodes, CI runners, multi-tenant VMs — are on patched kernels before any untrusted code executes.

Conclusion

CVE-2026-31431 "Copy Fail" is a compelling example of how a well-intentioned performance optimization — dormant for nearly a decade — can become a critical security liability. Its reliability, low complexity, and broad distribution coverage make it one of the more dangerous local privilege escalation vulnerabilities disclosed in recent years. The availability of a public PoC means exploitation is not a theoretical concern. Organizations should treat patching as urgent, layer in runtime detection via Falco or a commercial equivalent, and review their exposure across any shared-kernel infrastructure immediately.