Security Unlocked
← Back to Quick Takes

Quick Take

Copy Fail Gives Root on Every Linux Kernel Since 2017, No Race Condition Required

CVE-2026-31431 is a deterministic local privilege escalation in the Linux kernel's authencesn crypto template, with a public exploit and no race condition, making it the most reliable Linux LPE since Dirty Pipe.

HIGH confidence

A logic bug in the Linux kernel’s AEAD cryptographic interface just gave every unprivileged local user a deterministic path to root on virtually every distribution shipped since 2017, including Ubuntu 24.04 LTS, RHEL 10.1, Amazon Linux 2023, SUSE 16, Debian, Fedora, and Arch. CVE-2026-31431, dubbed “Copy Fail,” has a 732-byte Python exploit circulating and patches are still rolling out across major distributions. If you run Linux in production, this one demands same-day attention.

What Makes This Different

Copy Fail lives in the intersection of three kernel changes made years apart: the authencesn AEAD wrapper added for IPsec in 2011, AF_ALG socket support for AEAD in 2015, and an in-place memory optimization in algif_aead.c in 2017. That last change introduced the flaw. An unprivileged local user can write four controlled bytes into the page cache of any readable file on the system, then leverage that to escalate to root.

The critical distinction from previous Linux kernel LPEs: this is not a race condition. Dirty Cow (CVE-2016-5195) and Dirty Pipe (CVE-2022-0847) both required attackers to win a timing window, which made exploitation probabilistic and sometimes caused system instability. Copy Fail is deterministic. The same exploit binary works reliably across distributions, kernel versions, and hardware. That changes the calculus for defenders significantly.

Why Cloud and Container Teams Should Be Moving Now

CVSS 7.8 (local) undersells the real-world impact here. The attack requires local code execution as an unprivileged user, but that precondition is trivially met in modern environments: a web application RCE landing in a low-privilege service account, a compromised CI runner, an SSH foothold from a stolen key. Chain any of those with Copy Fail and you have root.

For containerized workloads, the implications are worse. A container escape chained with this flaw compromises the host, and in multi-tenant Kubernetes clusters, that means lateral movement across tenant boundaries. Wiz, Sysdig, and Microsoft Security Response Center have all published analysis confirming the container breakout path is viable.

What to Do Today

Patches are available from Ubuntu, AlmaLinux, CloudLinux, and others. RHEL and SUSE patches are expected imminently. If you cannot patch immediately, disable the vulnerable module:

1
2

echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf
sudo rmmod algif_aead 2>/dev/null

This blocks the exploitation path without requiring a reboot. Verify the module is unloaded with lsmod | grep algif_aead. For Kubernetes environments, apply the mitigation at the node level, not within containers.

SOC teams should be hunting for AF_ALG socket creation from non-root processes. That syscall pattern is unusual in most production workloads and, combined with page cache write anomalies, provides a reliable detection signal for exploitation attempts.