A high-severity Linux kernel vulnerability, CVE-2026-31431 (“Copy Fail”), has been publicly disclosed and is currently affecting most Linux distributions released since 2017. We urge everyone to please assess exposure and begin patching or applying mitigations as soon as possible.
Vulnerability details
CVE: CVE-2026-31431 (“Copy Fail”)
CVSS v3.1 Score: 7.8 (High) — Local Privilege Escalation
Disclosed: April 29, 2026
Reported to Linux Security Team: March 23, 2026
Upstream Patch Committed: April 1, 2026 (commit a664bf3d603d)
CVE Assigned: April 22, 2026
Exploit Status: A fully working public proof‑of‑concept was published on GitHub within 24 hours of disclosure and reliably achieves root across tested distros. As of today (April 30, 2026), Attacks in the wild have been reported by Exploit Intelligence.
Copy.Fail abuses a logic flaw in the Linux kernel’s algif_aead crypto module, introduced through a 2017 optimization. By manipulating the kernel’s AF_ALG crypto interface, an attacker can write controlled data into the Linux page cache (the in-memory representation of trusted system binaries).
This allows attackers to temporarily hijack binaries like /usr/bin/su without modifying the file on disk.
In practical terms:
- A normal user can become root
- A compromised container can escape to the host
- A malicious CI job can root its runner
- Shared infrastructure becomes vulnerable across tenants
- Disk forensics may show no file tampering because only RAM is altered
This makes Copy Fail especially dangerous for:
- Kubernetes clusters
- CI/CD systems
- Shared development environments
- Cloud notebook platforms
- Multi-tenant container infrastructure
Impacted versions
All Linux kernels from version 4.14 onward are affected on systems where the AF_ALG socket interface and the authencesn / algif_aead module are available. The following distributions were confirmed vulnerable by the researchers:
| Distribution | Kernel version tested | Status |
|---|---|---|
| Ubuntu 24.04 LTS | 6.17.0-1007-aws | Vulnerable |
| Amazon Linux 2023 | 6.18.8-9.213.amzn2023 | Vulnerable |
| RHEL 14.3 | 6.12.0-124.45.1.e110_1 | Vulnerable |
| SUSE 16 | 6.12.0-160000.9-default | Vulnerable |
Vendor advisory pages:
