An exploit for a local privilege escalation vulnerability nicknamed “Copy Fail” (CVE-2026-31431) was published, allowing an unprivileged local attacker to gain root on Linux kernels released since 2017 by performing a controlled 4-byte write into the page cache. Theori discovered the flaw using its Xint Code platform and released a 732-byte Python PoC that roots major distributions while upstream patches and interim mitigations like disabling the algif_aead module are being deployed. #CopyFail #CVE-2026-31431
Keypoints
- Copy Fail (CVE-2026-31431) enables a controlled 4-byte write to the page cache via AF_ALG and splice.
- The bug was introduced in 2017 by an “in-place” crypto optimization and affects kernels since Linux 4.14.
- Theori used its Xint Code platform to find the flaw and published a 732-byte Python PoC that roots Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16.
- Upstream fixes reverted the in-place behavior and were released in kernel versions 6.18.22, 6.19.12, and 7.0.
- Recommended mitigations include disabling AF_ALG/algif_aead and prioritizing patches for multi-tenant hosts, container clusters, CI runners, and cloud SaaS.