credit goes to my Elder-Friend @Valued-Customer (dude you need your own blog!)
From LinuxShout:
A new Linux kernel vulnerability called Copy Fail, tracked as CVE-2026-31431, was publicly disclosed on April 29, 2026. Within 48 hours, it landed on the CISA Known Exploited Vulnerabilities catalog. The scary part is the timeline of affected kernels. Every mainstream distribution shipping a kernel built since mid-2017 carries this flaw. That’s not a typo. We’re talking about nearly nine years of Linux kernels, sitting on millions of servers.
Copy Fail is a local privilege escalation (LPE) flaw in the Linux kernel’s
algif_aeadmodule, which is part of the AF_ALG userspace crypto API. The flaw was introduced in 2017 via commit 72548b093ee3, which switched AEAD operations to in-place processing. The upstream fix basically reverts that decade-old optimization. SysdigThe practical version goes like this. Any unprivileged local user can write 4 controlled bytes into the page cache of any readable file on the system, and use that to gain root. The whole exploit fits in a 732-byte Python script. Yes, 732 bytes. The vulnerability stems from a logic flaw in the Linux kernel’s AEAD crypto implementation (algif_aead), where improper handling of scatter-gather lists allows a write beyond intended bounds.
What makes Copy Fail nastier than something like Dirty Pipe is that it isn’t a race condition. It’s deterministic. The bug runs every single time, with no flaky timing or version-specific tuning needed. The CVSS score sits at 7.8 (High), but honestly, that number undersells the real-world risk. The exploit works the same on a developer laptop as it does on a Kubernetes node, and the public PoC is small enough to fit in a tweet.
The CVE-2026-31431 patch for Linux is rolling out across distributions right now. If you run AlmaLinux, Rocky Linux, Ubuntu, or Debian on anything that lets untrusted users get a shell, like multi-tenant hosts, container build farms, CI runners, or shared hosting setups, this guide walks you through the fix.
Leave a Reply