A newly disclosed Linux kernel vulnerability, dubbed Copy Fail and tracked as CVE-2026-31431, has been rated CVSS 7.8 and allows a local, unprivileged user to obtain full root access on most modern Linux systems. According to research teams from Xint.io and Theori, the flaw is simple to exploit, broadly deployed, and effective across multiple Linux distributions.
What the Copy Fail Linux kernel vulnerability allows an attacker to do
CVE-2026-31431 is a classic Local Privilege Escalation (LPE) issue. An attacker who already has any local account on a system can write four attacker-controlled bytes into the page cache of an arbitrary readable file. By strategically targeting sensitive binaries, this controlled corruption can be turned into reliable arbitrary code execution as root.
The danger comes from the fact that many Linux utilities are installed with setuid root permissions. Modifying just a few bytes in such a binary is often enough to bypass security checks or redirect execution flow, so that when any user runs the program, it executes the attacker’s payload with the highest privileges.
Root cause: logical bug in Linux AF_ALG cryptographic subsystem
The vulnerability resides in the Linux kernel’s cryptographic interface, specifically in the algif_aead module that implements Authenticated Encryption with Associated Data (AEAD) over the AF_ALG socket interface. A logical error introduced by a commit in August 2017 makes it possible for a page from the shared page cache to be used as a writable destination buffer in an AEAD operation.
The page cache is the kernel’s in-memory cache of file data, shared by all processes. If an attacker can modify a page in this cache, the change is reflected for every process that reads that file, even if the underlying file is opened as read‑only.
Copy Fail abuses this internal optimization: an unprivileged process can trigger an AEAD operation via an AF_ALG socket so that a page cache page is placed into a writable scatter/gather list. By combining this with the splice() system call, the attacker can reliably overwrite exactly four bytes in the page cache of a file they do not own and cannot open for writing.
From four bytes to full root: exploitation scenario
In practice, an attacker would target a setuid-root binary that is present on almost all Linux systems (for example, a small helper utility). By flipping a few bytes in a critical location, they can disable built-in checks, alter control flow, or inject a small “trampoline” that loads a more complex payload from elsewhere.
Researchers note that Copy Fail does not rely on race conditions, kernel address leaks, or fragile timing. Proof-of-concept exploits can be implemented as a very short Python script (~700 bytes), with minimal traces in system logs, making detection and forensic analysis significantly more difficult.
Affected Linux distributions and container escape risks
Because the vulnerable code has been present since 2017, virtually all major Linux distributions are impacted, including Amazon Linux, Red Hat Enterprise Linux (RHEL), SUSE, Ubuntu, and other derivatives that ship kernels based on these versions.
Copy Fail is not a remote code execution bug by itself. An adversary must first gain some form of local access — for example, through a compromised user account, a vulnerable web application, weak SSH credentials, or another exploit. However, once a foothold is established, CVE-2026-31431 enables a single-step jump from unprivileged user to root, bypassing most traditional host-based controls.
The vulnerability is particularly concerning in modern cloud-native environments because the kernel page cache is shared between containers and the host. A process inside a seemingly locked-down container can maliciously alter binaries or libraries that are accessible outside that container, enabling a container escape and full host compromise. This undermines the assumption that Linux namespaces alone provide sufficient isolation against kernel-level attacks.
Comparison with Dirty Pipe and why Copy Fail matters
Copy Fail belongs to the same general class of issues as the widely publicized Dirty Pipe (CVE-2022-0847), which also allowed attackers to overwrite data in the page cache of read‑only files. Dirty Pipe abused logic errors in the Linux pipe subsystem; Copy Fail instead leverages design flaws in the AF_ALG cryptographic networking interface.
From a defensive standpoint, CVE-2026-31431 is especially significant because it offers:
- Stable exploitation: no complex race conditions or kernel memory layout guessing are required.
- Cross-distribution reliability: the same exploit technique works with little or no modification on multiple Linux distributions and kernel builds.
- Low detectability: only a few system calls and short-lived processes are involved, which often blend into normal system activity.
Mitigation strategies and recommendations for Linux administrators
Linux vendors have begun publishing kernel security advisories and pushing patched kernel updates to their supported releases. Applying these updates is the most effective way to mitigate Copy Fail.
Security teams should prioritize the following actions:
- Patch the kernel: Install the latest security kernel packages from your distribution’s official repositories (RHEL, Ubuntu, SUSE, Amazon Linux, etc.) across servers, workstations, and container hosts.
- Harden local access: Reduce the attack surface by enforcing strong authentication, limiting direct shell access, and monitoring for abnormal user activity.
- Audit setuid binaries: Inventory all
setuidexecutables, remove unnecessary ones, and consider replacing legacy tools with alternatives that follow the principle of least privilege. - Reassess container isolation: Treat containers as sharing a single kernel. Complement namespaces and cgroups with additional controls such as mandatory access control (SELinux, AppArmor) and regular host patching.
Copy Fail illustrates how a seemingly minor logical error in a specialized kernel module can escalate into a system-wide risk, enabling root compromise, container breakout, and sandbox bypass. Organizations that rely on Linux — from bare-metal servers to Kubernetes clusters — should respond by rapidly deploying kernel patches, tightening local privilege boundaries, and continuously revisiting their Linux security architecture in light of emerging kernel-level attack vectors.
