Copy Fail: Critical Linux Kernel LPE Flaw CVE-2026-31431 Exposes Millions of Systems
A deterministic local privilege escalation vulnerability in the Linux kernel's AF_ALG cryptographic interface, dubbed Copy Fail, allows unprivileged attackers to gain root access on virtually all major distributions released since 2017.
On April 29, 2026, researchers publicly disclosed CVE-2026-31431, a highly reliable local privilege escalation (LPE) vulnerability in the Linux kernel's cryptographic subsystem. Dubbed "Copy Fail," the flaw was discovered in about an hour through an AI-assisted process and affects Linux kernels from version 4.14 through 6.19.12. Unlike many kernel vulnerabilities that rely on race conditions or kernel offset dependencies, Copy Fail is deterministic: a single 732-byte Python script can consistently escalates privileges to root across Ubuntu, Red Hat Enterprise Linux, Debian, Amazon Linux, SUSE, and AlmaLinux without modification.
The root cause lies in the algif_aead module of the AF_ALG interface, a user-space crypto API. The vulnerability resulted from a combination of three independent updates: the addition of the authencesn algorithm in 2011, AF_ALG gaining AEAD support in 2015, and a fatal in-place optimization introduced in 2017 (commit 72548b093ee3). During cryptographic operations, the in-place optimization causes the algorithm to use the destination buffer improperly, writing four controlled bytes past the legitimate region directly into the system's file page cache.
An unprivileged attacker can exploit this memory handling error by misusing the interaction between the AF_ALG socket interface and the splice() system call. When splice() hands page-cache pages into the crypto subsystem, the vulnerability allows the attacker to direct that four-byte overwrite straight into the kernel's file page cache. The attacker controls the exact overwrite value by supplying the seqno_lo (the low half of the sequence number) inside bytes 4–7 of the Associated Authenticated Data (AAD) during the sendmsg() call.
The page cache is the temporary in-memory copy of a file that the kernel reads when it loads a binary for execution. An attacker can leverage the four-byte overwrite to target the page cache of any readable setuid-root binary, such as /usr/bin/su, sudo, or passwd. By manipulating the splice offset, splice length, and assoclen parameters, the attacker can specifically target the .text section of a setuid binary to inject shellcode. Modifying the cached copy alters the binary's execution context, granting superuser (UID 0) privileges without modifying the physical file on disk, thereby bypassing traditional file integrity monitoring tools.
Because the kernel and its page cache are shared across an entire node, this flaw allows attackers to easily break out of Kubernetes containers, overtake multi-tenant hosts, and compromise CI/CD pipelines. The vulnerability affects millions of systems worldwide. The Linux Foundation has posted an advisory with mitigation details, and the patch (commit a664bf3d603d) fixes the issue by reverting the module to out-of-place operation, separating source and destination scatterlists so that page cache pages remain strictly read-only.
Organizations are urged to apply vendor-issued kernel patches immediately. If patching is not feasible, interim mitigation guidance recommends disabling the vulnerable module. Palo Alto Networks customers receive protections through Next-Generation Firewall with Advanced Threat Prevention, Cortex Cloud, and Cortex XDR and XSIAM. The Unit 42 Incident Response team can also be engaged to help with compromise assessment or proactive risk reduction.