Cloudflare Details Response to 'Copy Fail' Linux Kernel LPE Vulnerability (CVE-2026-31431)
Cloudflare has published a detailed postmortem of its response to the 'Copy Fail' Linux kernel local privilege escalation vulnerability (CVE-2026-31431), confirming no impact to its infrastructure and highlighting how its behavioral detections could identify the exploit within minutes.
On April 29, 2026, a Linux kernel local privilege escalation vulnerability named 'Copy Fail' (CVE-2026-31431) was publicly disclosed. The flaw resides in the `algif_aead` module of the kernel's crypto API, where an out-of-bounds write via the `authencesn` wrapper allows an attacker using `splice()` to modify page cache pages of any readable file. Cloudflare's Security and Engineering teams immediately began assessing the vulnerability, reviewing the exploit technique, evaluating exposure across their infrastructure, and validating that their existing behavioral detections could identify the exploit pattern within minutes. The company confirmed there was no impact to the Cloudflare environment, no customer data was at risk, and no services were disrupted at any point.
The vulnerability exploits the company calls 'Copy Fail' exploits the Linux kernel's internal crypto API, which manages functions like kTLS and IPsec. Userspace programs access this via the `AF_ALG` socket family, allowing unprivileged processes to request encryption or decryption. The `algif_aead` module facilitates this for Authenticated Encryption with Associated Data (AEAD) ciphers. The critical system call here is `splice()`, which moves data by passing page cache references. The page cache is a shared system cache for file contents; modifying a page belonging to a setuid binary effectively edits that program for all users until the page is evicted.
The crypto API utilizes scatterlists, structures linking various memory pages. In 2017, `algif_aead` was optimized for in-place operations, chaining destination and reference pages together. This design lacked enforcement to prevent algorithms from writing past intended boundaries. When the user executes `recvmsg()`, the `authencesn` wrapper performs a 4-byte write past the legitimate output region. By using `splice()`, an attacker can chain a target file's page cache pages to the scatterlist. The out-of-bounds write then taints the cached file, allowing an attacker to control which file is modified, the offset, and the specific 4 bytes written.
The default exploit targets `/usr/bin/su`, a setuid-root binary present on essentially every distribution. The attacker first opens `/usr/bin/su` as `O_RDONLY` and `read()` to populate the page cache, then uses `splice()` on the file descriptor to pass these page cache references into the crypto scatterlist. They create an `AF_ALG` socket, bind to `authencesn(hmac(sha256),cbc(aes))`, set a key, and accept a request socket without needing privileges. For each privileges. For each 4-byte shellcode chunk, they use `sendmsg()` with AAD bytes 4–7 containing the shellcode, then `splice()` the binary into a pipe then the `AF_ALG` socket so `assoclen + cryptlen` targets the desired `.text` offset. Finally, `recvmsg()` initiates decryption, and `authencesn` writes its scratch data to the target offset of `/usr/bin/su` in the page cache. Although the function returns `-EBADMSG`, the 4-byte write is now in the global page cache. Running `execve("/usr/bin/su")` loads the tainted page cache, and since the binary is setuid-root, the injected shellcode executes with root privileges.
Cloudflare's response involved multiple parallel workstreams. Their security team worked with kernel engineers to determine which kernel versions were vulnerable and assess potential exposure. Security reviewed the exploit technique and confirmed that existing behavioral detections could identify the exploit pattern during authorized internal validation. The team began proactive threat hunting, searching for signs that the vulnerability had been exploited before it was publicly known, going back 48 hours in fleet-wide logs. Kernel engineers began building a runtime mitigation that would protect the fleet without breaking production.
Cloudflare operates a global Linux server infrastructure at immense scale, with datacenters across 330 cities. They maintain a custom Linux kernel build based on community LTS versions. At the time of disclosure, the majority of their infrastructure was running the 6.12 LTS version, while a subset of machines had begun transitioning to the newer 6.18 LTS release. The upstream fix (commit `a664bf3d603d`) reverts the 2017 in-place optimization, removing the exploit. Cloudflare's detailed postmortem serves as a case study in how large-scale organizations can prepare for and respond to critical kernel vulnerabilities, emphasizing the importance of behavioral detection, rapid assessment, and proactive threat hunting.
Fortinet PSIRT has published an advisory for CVE-2026-31431, confirming that the vulnerability affects the Linux kernel's crypto/algif_aead subsystem. The fix reverts in-place operations to out-of-place to avoid complexity and potential security flaws. Fortinet is investigating the impact on its products, including FortiEDR, FortiNAC, and FortiClient EMS, while confirming that FortiOS and many other products are not affected.