Recently, a high-severity local privilege escalation vulnerability (codenamed Copy Fail, CVE-2026-31431) has been disclosed in the Linux kernel. Discovered by the Xint Code Research Team, this is a subtle and easily triggered kernel logic flaw that allows attackers to perform stable, deterministic privilege escalation.
Full proof-of-concept (PoC) exploit code is now publicly available. The vulnerability has existed for nearly a decade (since 2017) and affects all major Linux distributions, posing an extremely high risk to cloud servers, container hosts, and multi-tenant environments.
1. Vulnerability Details
1.1 Root Cause
The vulnerability stems from a logic defect in the authencesn module within the Linux kernel crypto subsystem. When an attacker uses an AF_ALG socket together with the splice() system call, page cache references of target files are exposed to a writable scatterlist. This allows an unprivileged local user to perform a precise 4-byte out-of-bounds write to the page cache of any readable file on the system (e.g., the setuid su binary).
1.2 Vulnerability Characteristics
- Deterministic Exploitation: Unlike race-condition vulnerabilities such as Dirty Cow, Copy Fail requires no race window, runs reliably, and does notcrash the system.
- Stealthy Modification: The flaw only modifies in-memory page cache; the kernel does not mark pages as “dirty” or write them back to disk. Thus, on-disk file integrity remains unchanged.
- Easy to Exploit: The exploit is a 732-byte pure-Python script with no compilation required, working across architectures and distributions.
2. Impact
1. Local Privilege EscalationAny unprivileged local user can exploit this flaw to tamper with high-privilege processes (e.g., /usr/bin/su) and directly gain full root privileges.
2. Container Escape & Cross-Tenant AttacksSince the OS page cache is shared between the host and all containers, an attacker inside a container with appropriate syscall permissions can tamper with the host’s page cache, escape the container, and take over the entire Kubernetes node or host.
3. High-Risk Environment ThreatsIt severely bypasses isolation boundaries on multi-user shared hosts, development machines, CI/CD runners (e.g., GitHub Actions, GitLab Runner sandboxes), and Serverless and other multi-tenant cloud services.
3. Affected Versions
All Linux systems with kernel commits between 72548b093ee3 (introduced August 9, 2017) and a664bf3d603d (fixed March 31, 2026) are vulnerable. Systems with the algif_aead module enabled or loadable on demand are affected.
Known Affected Major Distributions
Ubuntu 24.04 LTS and earlier
Amazon Linux 2023 and earlier
Red Hat Enterprise Linux (RHEL) 8 / 9 / 10 and earlier
SUSE 16 and earlier
Debian, Arch, Fedora, Rocky, Alma, Oracle, openEuler, and other distributions with matching kernel versions
Unaffected Versions
Mainline kernel: 7.0 and above
Stable: 6.18.22 and above
Stable: 6.19.12 and above
Currently Supported Vulnerable Kernel Branches
All 6.12.x
All 6.6.x
All 6.1.x
All 5.15.x
All 5.10.x
4. Detection Methods
1. Check Kernel VersionRun uname -r to verify your kernel version and compare it against the official fixed releases.
2. Check Kernel ModuleVerify if algif_aead is loaded or loadable:
|
lsmod | grep algif_aead # OR lsof | grep AF_ALG |
5. Remediation & Mitigation
5.1 Immediate Kernel Update (Recommended)
Major Linux vendors are releasing kernel patches. Update and reboot as soon as patches become available.
|
# Ubuntu / Debian apt update && apt upgrade linux-image-$(uname -r)
# RHEL / CentOS / Rocky / Alma dnf update kernel
# Amazon Linux yum update kernel
# SUSE zypper update kernel-default |
Current Patch Status:
Debian: All supported versions remain unpatched — use mitigations below.
Ubuntu: Only 26.04 LTS is unaffected; others unpatched — use mitigations.
RHEL 8/9/10: Unpatched — use mitigations (RHEL 6/7 are unaffected).
openEuler: Confirmed vulnerable on 24.03 / 24.03-LTS-SP3; under investigation — use mitigations.
SUSE 12–16: Mostly unpatched — use mitigations (partial fixes in 15.6 / 15 SP6 / 16.0).
5.2 Temporary Mitigation (Disable Vulnerable Module)
If you cannot reboot or update the kernel immediately, block the vulnerable module as root:
|
# Prevent module loading echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf
# Unload if currently loaded (safe to ignore error if not loaded) rmmod algif_aead
# Clear page cache to invalidate tampered cache entries sync && echo 3 > /proc/sys/vm/drop_caches |
If the module is built-in (e.g., Rocky Linux 8):
1. Edit /etc/default/grub and add to GRUB_CMDLINE_LINUX:
|
initcall_blacklist=algif_aead_init |
2. Regenerate the GRUB config:
|
grub2-mkconfig -o /boot/grub2/grub.cfg |
3. Reboot the system.
5.3 Container Environment Hardening
For containers or Kubernetes clusters running untrusted workloads, block AF_ALG socket creation inside containers using a Seccomp profile or equivalent security policy.
Note: Disabling algif_aead does not affect standard crypto services such as dm-crypt/LUKS, IPsec, SSH, or default OpenSSL builds. Only rare user-space applications explicitly requiring AF_ALG may be impacted.
6. References
Copy. fail official site: https://copy.fail/
Xint Code technical analysis: https://xint.io/blog/copy-fail-linux-distributions
OSS‑SEC mailing list: https://seclists.org/oss-sec/2026/q2/283
CNVD advisory: https://www.cnvd.org.cn/webinfo/show/12336
If there are any questions, please feel free to contact the Information Technology and Data Intelligence Department at <gzit@hkust-gz.edu.cn>.
Information Technology and Data Intelligence Department (ITDID)
May 6, 2026