The bug that hid in Linux for nine years
Sources: Xint Research · Theori · Microsoft Security Blog · Sysdig TRT · CERT-EU · AlmaLinux · Help Net Security · Sophos CTU · Bugcrowd · CISA KEV | CVE: CVE-2026-31431 | CVSS: 7.8 High | PoC: Public 732-byte Python script | CISA KEV: Yes — April 29, 2026
The bug that hid in Linux for nine years
In 2017, a Linux kernel developer made a perfectly reasonable performance optimization. AEAD cryptographic operations were switched to in-place processing — reusing source memory as the destination during encryption to avoid an unnecessary copy. It was a sensible change, reviewed and merged without controversy. Nobody noticed that in a specific interaction with the AF_ALG userspace crypto socket interface and the splice() system call, this optimization created a logic flaw that would sit dormant in every major Linux kernel for nearly nine years.
On April 29, 2026, researchers at Theori and Xint Code disclosed CVE-2026-31431, nicknamed Copy Fail. The vulnerability lets any unprivileged local user escalate to root in seconds using a 732-byte Python script that requires no compiled code, no additional software, no race condition timing, and leaves no trace on disk. It works unmodified on Ubuntu, Amazon Linux, RHEL, SUSE, Debian, Fedora, Rocky Linux, and every other mainstream Linux distribution shipped since 2017. CISA added it to its Known Exploited Vulnerabilities catalog the same day. A fully working public proof-of-concept is available right now.
| Field | Detail |
|---|---|
| CVE | CVE-2026-31431 |
| Nickname | Copy Fail |
| CVSS | 7.8 High |
| Vulnerability class | Local privilege escalation — logic bug in algif_aead / AF_ALG |
| Bug introduced | 2017 — commit 72548b093ee3 (in-place AEAD optimization) |
| Disclosed | April 29, 2026 — Theori / Xint Code |
| Affected kernels | Linux 4.14 through 7.0-rc (all since July 2017) |
| Affected distros | Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, SUSE 16, Debian, Fedora, Rocky Linux, Arch, and more |
| Unaffected | Ubuntu 26.04 (Resolute) and later |
| Public PoC | Yes — 732-byte Python script, works unmodified across all affected distros |
| Race condition required | No — deterministic, works every time |
| Disk forensic trace | None — exploit operates entirely in memory |
| Container escape | Yes — page cache is shared across container boundaries |
| CISA KEV listed | Yes — April 29, 2026 |
| Kernel fix | Patched in Linux 6.18.22, 6.19.12, and 7.0 |
Why Copy Fail is different from every Linux LPE before it
Dirty Cow (CVE-2016-5195) required winning a race condition — it sometimes crashed the system. Dirty Pipe (CVE-2022-0847) was version-specific and needed precise pipe buffer manipulation. Copy Fail is neither. It is a straight-line logic flaw: deterministic, portable, and tiny. The exact same 732-byte Python script — using only standard library modules — produces root on Ubuntu, Amazon Linux, RHEL, and SUSE without modification, recompilation, or version checks. Bugcrowd noted that this kind of universal, reliable primitive would have commanded up to $7 million on the gray-market exploit broker market before disclosure. It is now free and public.
The technical root cause: three reasonable changes, one catastrophic interaction
Theori traced the bug to the convergence of three individually sound kernel changes over six years:
- 2011: The
authencesnAEAD cryptographic wrapper is added for IPsec support. - 2015: AF_ALG AEAD socket support is introduced, giving unprivileged userspace access to the kernel’s crypto subsystem through a standard socket.
- 2017: An in-place optimization is added to
algif_aead.c— AEAD operations now reuse source memory as the destination. This commit introduced the bug.
None of these changes was wrong on its own. But together, they allowed authencesn‘s scratch-write — a small intermediate write during cryptographic processing — to land on a kernel page cache page that the attacker controls. The page cache is the kernel’s in-memory representation of files on disk. A controlled write there corrupts a file’s in-memory content without ever touching the on-disk version. File integrity tools that monitor disk writes see nothing.
The five-step exploit chain
Step 1 — Splice a setuid binary into an AF_ALG socket
The attacker opens an AF_ALG AEAD socket (available to any unprivileged user in default kernel configurations) and uses splice() to transfer a readable setuid binary — such as /usr/bin/su — through a pipe into the socket’s input. Because splice() transfers pages by reference rather than copying them, the socket’s input scatterlist now holds direct references to the kernel’s cached pages of that binary.
Step 2 — Trigger the authencesn scratch write into the page cache
The attacker invokes a cryptographic operation. Due to the 2017 in-place optimization, authencesn writes scratch data directly into the scatterlist — which points to the page cache pages of the target binary. This produces a controlled 4-byte overwrite of the in-memory binary. The write happens entirely inside the kernel, entirely in memory. No file on disk is touched. No disk I/O occurs.
Step 3 — Execute the corrupted binary to get root
With a controlled 4-byte write into the in-memory setuid binary, the attacker targets kernel structures associated with credentials or execution context. Corrupting the right bytes causes the binary to yield root privileges on execution — completing the transition from unprivileged user to UID 0 without triggering file write alerts and leaving no forensic artifact on disk.
Step 4 — SELinux and AppArmor neutralized
Kernel trust boundaries are now broken. SELinux and AppArmor protections are effectively neutralized because the exploit operates at a layer below their enforcement. Local security controls depending on kernel integrity are bypassed.
Step 5 — Container escape and Kubernetes node compromise
The Linux page cache is shared across all processes on a host — including across container boundaries. Copy Fail is not just a local privilege escalation. It is a container escape primitive. An attacker with code execution inside a container — from a compromised application, malicious CI job, or SSH foothold — can use Copy Fail to escape and compromise the underlying host kernel. On a Kubernetes node, that means pivoting to the rest of the cluster.
Who is at risk
The scope is almost unprecedented. Every mainstream Linux distro shipping a kernel since July 2017 is affected. Confirmed vulnerable: Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, SUSE 16, Rocky Linux 9.7, Debian, Fedora, Arch Linux. Only confirmed unaffected: Ubuntu 26.04 (Resolute) and later. Microsoft Defender described the impact as affecting a significant portion of cloud Linux workloads and millions of Kubernetes clusters.
Highest-risk environments:
- Multi-tenant Linux hosts where untrusted users have shell access
- Kubernetes clusters and container build farms — container escape = node/cluster compromise
- CI/CD runners executing code from pull requests or external contributors
- Shared web hosting where customers share an underlying kernel
- Cloud VMs where any web RCE chains to full host compromise via Copy Fail
Remediation — what actually works (and what doesn’t)
The correct fix: apply your distro’s kernel update
- AlmaLinux:
sudo dnf clean metadata && sudo dnf upgrade && sudo reboot - Ubuntu:
sudo apt update && sudo apt upgrade && sudo reboot(26.04 is unaffected) - Amazon Linux:
sudo yum update kernel && sudo reboot - RHEL / CentOS Stream: Monitor Red Hat security advisories — errata still in progress at time of writing
- SUSE:
sudo zypper update && sudo reboot - KernelCare users: Live patch delivered automatically — verify with
kcarectl --info | grep CVE-2026-31431. No reboot required.
⚠️ The modprobe blacklist workaround does NOT work on RHEL-family systems
The widely shared mitigation — adding install algif_aead /bin/false to /etc/modprobe.d/ and running rmmod algif_aead — does not work on RHEL, AlmaLinux, CloudLinux, or any RHEL-family system. On these distros, algif_aead is built directly into the kernel (CONFIG_CRYPTO_USER_API_AEAD=y), not compiled as a loadable module. The commands complete without error while leaving the system fully vulnerable. Applying this workaround on a RHEL-family system provides a false sense of security. Update your kernel.
Detection with Falco / Sysdig
Sysdig has deployed the AF_ALG Page Cache Poisoning Leading to Privilege Escalation rule in its Runtime Behavioral Analytics managed policy. Open-source Falco users can use Sysdig’s published rule: flag any AF_ALG socket opened with SOCK_SEQPACKET type — this filters out the majority of legitimate AF_ALG use (which uses SOCK_DGRAM) and is a strong indicator of Copy Fail exploitation.
Found by AI — again
Like CVE-2026-3854 (yesterday’s GitHub RCE), Copy Fail was discovered by AI-assisted tooling. Xint Code surfaced this nine-year-old bug with one operator prompt and approximately one hour of scan time against the Linux crypto subsystem. Bugcrowd drew the uncomfortable conclusion: the skill curve for using a serious vulnerability discovery tool is starting to look a lot more like the skill curve for reading its output. Tools like this are now finding bugs that went undetected for nearly a decade in code reviewed by thousands of experienced kernel developers. The discovery window for dormant vulnerabilities is collapsing — on both sides of the security equation.
Sources and further reading
- Xint Research — Copy Fail: 732 Bytes to Root on Every Major Linux Distribution
- Microsoft Security Blog — CVE-2026-31431: Copy Fail Enables Linux Root Privilege Escalation
- Sysdig TRT — Copy Fail: Linux Kernel Flaw Lets Local Users Gain Root in Seconds
- CERT-EU — Security Advisory: Copy Fail Linux Kernel Vulnerability
- Help Net Security — Nine-year-old Linux kernel flaw enables reliable local privilege escalation
- AlmaLinux — Copy Fail (CVE-2026-31431) Patches Released
- Bugcrowd — What We Know About Copy Fail
DataWater publishes a daily cybersecurity threat brief. Article #5 — see also: PyTorch Lightning (Apr 30) · Cordial/Snarky Spider (May 1) · BufferZoneCorp (May 2) · CVE-2026-3854 GitHub RCE (May 3).
