VYPR
patchPublished May 7, 2026· Updated May 20, 2026· 2 sources

Cloudflare Details Response to 'Copy Fail' Linux Kernel LPE Vulnerability (CVE-2026-31431)

Cloudflare has published a detailed postmortem of its response to the 'Copy Fail' Linux kernel local privilege escalation vulnerability (CVE-2026-31431), confirming no impact to its infrastructure and highlighting how its behavioral detections could identify the exploit within minutes.

On April 29, 2026, a Linux kernel local privilege escalation vulnerability named 'Copy Fail' (CVE-2026-31431) was publicly disclosed. The flaw resides in the algif_aead module of the kernel's crypto API, where an out-of-bounds write via the authencesn wrapper allows an attacker using splice() to modify page cache pages of any readable file. Cloudflare's Security and Engineering teams immediately began assessing the vulnerability, reviewing the exploit technique, evaluating exposure across their infrastructure, and validating that their existing behavioral detections could identify the exploit pattern within minutes. The company confirmed there was no impact to the Cloudflare environment, no customer data was at risk, and no services were disrupted at any point.

The vulnerability exploits the company calls 'Copy Fail' exploits the Linux kernel's internal crypto API, which manages functions like kTLS and IPsec. Userspace programs access this via the AF_ALG socket family, allowing unprivileged processes to request encryption or decryption. The algif_aead module facilitates this for Authenticated Encryption with Associated Data (AEAD) ciphers. The critical system call here is splice(), which moves data by passing page cache references. The page cache is a shared system cache for file contents; modifying a page belonging to a setuid binary effectively edits that program for all users until the page is evicted.

The crypto API utilizes scatterlists, structures linking various memory pages. In 2017, algif_aead was optimized for in-place operations, chaining destination and reference pages together. This design lacked enforcement to prevent algorithms from writing past intended boundaries. When the user executes recvmsg(), the authencesn wrapper performs a 4-byte write past the legitimate output region. By using splice(), an attacker can chain a target file's page cache pages to the scatterlist. The out-of-bounds write then taints the cached file, allowing an attacker to control which file is modified, the offset, and the specific 4 bytes written.

The default exploit targets /usr/bin/su, a setuid-root binary present on essentially every distribution. The attacker first opens /usr/bin/su as O_RDONLY and read() to populate the page cache, then uses splice() on the file descriptor to pass these page cache references into the crypto scatterlist. They create an AF_ALG socket, bind to authencesn(hmac(sha256),cbc(aes)), set a key, and accept a request socket without needing privileges. For each privileges. For each 4-byte shellcode chunk, they use sendmsg() with AAD bytes 4–7 containing the shellcode, then splice() the binary into a pipe then the AF_ALG socket so assoclen + cryptlen targets the desired .text offset. Finally, recvmsg() initiates decryption, and authencesn writes its scratch data to the target offset of /usr/bin/su in the page cache. Although the function returns -EBADMSG, the 4-byte write is now in the global page cache. Running execve("/usr/bin/su") loads the tainted page cache, and since the binary is setuid-root, the injected shellcode executes with root privileges.

Cloudflare's response involved multiple parallel workstreams. Their security team worked with kernel engineers to determine which kernel versions were vulnerable and assess potential exposure. Security reviewed the exploit technique and confirmed that existing behavioral detections could identify the exploit pattern during authorized internal validation. The team began proactive threat hunting, searching for signs that the vulnerability had been exploited before it was publicly known, going back 48 hours in fleet-wide logs. Kernel engineers began building a runtime mitigation that would protect the fleet without breaking production.

Cloudflare operates a global Linux server infrastructure at immense scale, with datacenters across 330 cities. They maintain a custom Linux kernel build based on community LTS versions. At the time of disclosure, the majority of their infrastructure was running the 6.12 LTS version, while a subset of machines had begun transitioning to the newer 6.18 LTS release. The upstream fix (commit a664bf3d603d) reverts the 2017 in-place optimization, removing the exploit. Cloudflare's detailed postmortem serves as a case study in how large-scale organizations can prepare for and respond to critical kernel vulnerabilities, emphasizing the importance of behavioral detection, rapid assessment, and proactive threat hunting.

Fortinet PSIRT has published an advisory for CVE-2026-31431, confirming that the vulnerability affects the Linux kernel's crypto/algif_aead subsystem. The fix reverts in-place operations to out-of-place to avoid complexity and potential security flaws. Fortinet is investigating the impact on its products, including FortiEDR, FortiNAC, and FortiClient EMS, while confirming that FortiOS and many other products are not affected.

Synthesized by Vypr AI