Copy Fail (CVE-2026-31431) is a deterministic Linux local privilege escalation disclosed April 29, 2026 that leverages the AF_ALG crypto interface and splice() to overwrite page cache and run modified SUID binaries in memory to gain root without touching disk. The public proof‑of‑concept is simple to run, affects kernels shipped since 2017 across mainstream distributions, and can be detected by AF_ALG socket creation, heavy splice() usage, and SUID exec traces. #CopyFail #AF_ALG
Keypoints
- Copy Fail is tracked as CVE-2026-31431 with a CVSS 3.1 score of 7.8 (High).
- The vulnerability is a reliable local privilege escalation affecting Linux kernels released since 2017 across mainstream distributions; a public PoC is available and easy to run.
- The exploit abuses the AF_ALG kernel crypto socket and the splice() syscall to write attacker-controlled data into the page cache backing a SUID binary.
- The on-disk file remains unchanged while the in-memory page cache is modified, so the modified binary executes with SUID/root privileges when loaded from cache.
- Detection strategies include monitoring for AF_ALG socket creation, abnormal volumes of splice() syscalls, and execution of SUID binaries spawned from unprivileged processes (commonly via Python PoCs).
- Remediation is patching the kernel; temporary mitigations include blocking AF_ALG via seccomp or modprobe (or using initcall_blacklist when code is built-in), though these may affect legitimate crypto functionality.
MITRE Techniques
- [T1068 ] Exploitation for Privilege Escalation – The exploit leverages a kernel logic flaw to escalate privileges by modifying page cache and executing SUID binaries as root. (‘…allows a low-privileged user to tamper with trusted SUID (Set User ID) binaries and execute them with elevated privileges.’)
- [T1548 ] Abuse Elevation Control Mechanism – The technique abuses SUID binaries and kernel behavior to obtain elevated execution without on-disk changes. (‘…the modified version runs with SUID privileges, allowing the attacker to gain root access.’)
Indicators of Compromise
- [CVE ] Vulnerability identifier – CVE-2026-31431
- [File Path ] Targeted SUID binaries – /usr/bin/su, /usr/bin/sudo (and other SUID binaries like /usr/bin/passwd)
- [Kernel Log Message ] Kernel/boot and runtime messages indicating AF_ALG activity or abnormal execs – “Registered PF_ALG protocol family”, “process ‘su’ launched ‘/bin/sh’ with NULL argv: empty string added”
- [Syscall / Auditd ] Syscall indicators and audit rules referencing exploit primitives – splice (syscall), socket with a0=38 (AF_ALG) as seen in auditd rules and logs: splice, socket a0=38
- [Kernel Module / Initcall ] Module/initcall names used for mitigation or observed in system configuration – algif_aead, af_alg_init, crypto_authenc_esn_module_init
- [Process/Execution Pattern ] Process spawning and exec patterns tied to PoC behavior – execve status_code=0 user=root command=”*su*” and Python parent processes spawning shells that then invoke SUID binaries
Read more: https://guardsix.com/blog/linux-privilege-escalation-cve-2026-31431-copy-fail-exploit-and-detection