Copy Fail (CVE-2026-31431): Linux Bug Gives Local Users Root

by Emma Davis
May 3, 2026

Copy Fail (CVE-2026-31431) is a Linux kernel LPE in algif_aead affecting many distros since 2017. Patch kernels or disable algif_aead.

The vulnerability was publicly disclosed on April 29, 2026, and on May 1, 2026 CISA added CVE-2026-31431 to its Known Exploited Vulnerabilities catalog, which means active exploitation is now confirmed, not theoretical.[1][2][3][6] Copy Fail is not a remote bug by itself. But if an attacker already has a shell, a compromised web account, a malicious CI job, or code running inside the wrong container, it can turn limited local access into root.

Satirical cartoon showing a local Linux user casually stamping a visitor pass into a root pass
The visitor badge was only supposed to get him through the lobby. The buggy logic promoted him straight to the boss office.

Researchers from Xint.io and Theori trace the issue to the Linux kernel cryptographic subsystem, specifically the algif_aead module exposed through AF_ALG.[2][3] The uncomfortable detail is that this is a logic flaw, not a fragile race condition. Many Linux LPEs depend on timing, repeated attempts, or a narrow kernel build. Copy Fail is notable because the write primitive is described as direct, portable, and reliable across a long distro window that reaches back to 2017.[1][2]

In practical terms, the bug can let an unprivileged local user make a tiny controlled change in the page cache of a readable file. If the target is a setuid binary, that small in-memory change may be enough to hijack execution and get a root shell. The comparison with Dirty Pipe is natural, but Copy Fail appears to cover a broader spread of distributions because the vulnerable path has existed for years.[1][2][3]

Short version: Copy Fail does not break into a Linux system from the internet by itself, but it can turn a small foothold into full control of the host.

Patch and mitigation

CVE-2026-31431 carries a CVSS score of 7.8 and is tracked as high severity by Ubuntu.[4] The most exposed environments are the ones that let untrusted or semi-trusted users run code: multi-user servers, jump boxes, shared hosting, self-hosted CI runners, build farms, Kubernetes nodes, notebook platforms, and sandbox services. Containers deserve special attention because they share the host kernel and page cache.

The response is simple even if the bug is not: check your distribution advisory, install the fixed kernel as soon as it becomes available, and reboot into it.[4][5] CISA gave U.S. federal agencies until May 15, 2026 to remediate the issue after adding it to KEV, which is a practical signal that the patch window should be treated as urgent everywhere else too.[6] Updating packages without booting the patched kernel does not remove the live risk. If a fixed kernel is not yet available, the research page points to disabling the algif_aead module as a temporary mitigation; in container and CI-heavy environments, restricting AF_ALG socket creation through seccomp may also reduce exposure until patching is complete.[2][3]

Copy Fail has the ingredients that make Linux administrators nervous: old code, wide distribution coverage, no race condition, a compact proof of concept, and a common impact path. The right reaction is not panic. It is inventory, patch, reboot, and tighten the places where untrusted code can run.

References

  1. The Hacker News. “New Linux Copy Fail Vulnerability…”
  2. Xint.io research write-up. “Copy Fail: 732 Bytes to Root on Every Major Linux Distribution.”
  3. Copy Fail disclosure page.
  4. Ubuntu CVE tracker: CVE-2026-31431.
  5. Debian Security Tracker: CVE-2026-31431.
  6. CISA Known Exploited Vulnerabilities Catalog: CVE-2026-31431 (added May 1, 2026; due date May 15, 2026).

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

View all posts

Leave a Comment