Copy Fail: Linux kernel privilege escalation flaw publicly disclosed

Threat summary

On April 29, security researchers publicly disclosed a high-severity Linux kernel logic flaw known as Copy Fail, tracked as CVE-2026-31431. The vulnerability enables a local, unprivileged user to escalate privileges to full root access on most Linux systems. A working proof-of-concept (POC) exploit for this flaw has been published.

Copy Fail affects the Linux kernel cryptographic subsystem, specifically the Authenticated Encryption with Associated Data (AEAD) implementation exposed via the algif_aead interface. AEAD is a core kernel component used by technologies such as Internet Protocol Security (IPsec) to provide authenticated encryption. A performance optimization introduced in August 2017 altered how memory buffers are handled during certain cryptographic operations, unintentionally allowing controlled writes into the kernel’s page cache, which stores in‑memory copies of files read from disk.

The flaw allows a threat actor with basic local access to take full control of a Linux system without modifying files on disk. Instead, the adversary alters how a critical system program behaves only in memory. When that program is executed, the operating system unknowingly runs it with full administrative (root) privileges. Because the underlying file remains unchanged, file-integrity monitoring and disk-based forensics do not detect the compromise. The takeover persists as long as the system continues running and disappears after a reboot.

The issue was privately reported to the Linux kernel security team on March 23, 2026, fixed upstream on April 1, assigned CVE‑2026‑31431 on April 22, and publicly disclosed with exploit code on April 29. The vulnerability carries a CVSS v3 score of 7.8 (High).

The vulnerability affects most Linux distributions using kernels built since 2017, including Ubuntu, Red Hat Enterprise Linux, SUSE, Amazon Linux, Debian, and downstream derivatives. It remains present until each distribution releases a fix and the system has been updated and rebooted into the vendor-provided patched kernel.

Risk is highest in shared Linux environments such as Kubernetes nodes, continuous integration (CI) runners, multi-tenant servers, and cloud platforms that execute untrusted or customer-supplied code. In these environments, a single low-privilege foothold can escalate into host-level and cross-tenant compromise.

Analysis

Copy Fail cannot be exploited directly from the internet, but it is still a serious risk because it reliably turns any form of local access, which is common in modern Linux environments, into full system control.

A realistic scenario is that a threat actor first gains a low-privilege foothold through a vulnerable web application, stolen credentials, a container breakout precursor, or execution of untrusted code in a CI pipeline, then uses Copy Fail to escalate to root quickly and reliably. This makes it especially dangerous on shared systems where low-privilege execution is expected by design.

Copy Fail is notable because it does not rely on a race condition, meaning exploitation does not depend on precise timing, retries, or winning a narrow execution window. Many Linux privilege-escalation flaws only succeed intermittently and may crash systems or fail under load, which limits their practical use.

In contrast, Copy Fail is a deterministic logic flaw: when the vulnerable code path is triggered, it behaves incorrectly every time on affected systems. This makes exploitation reliable, repeatable, and easy to automate, lowering the barrier for abuse and reducing the chance that failed attempts generate noise or instability that would alert defenders.

Linux distribution vendors are releasing kernel updates that remediate CVE-2026-31431 by correcting the vulnerable cryptographic code path. Once available, applying the vendor-provided kernel update and rebooting the system fully resolves the issue. Prioritizing patch deployment on shared Linux infrastructure, including Kubernetes worker nodes, build systems, and multi-tenant servers, provides the greatest reduction in risk.

As an interim risk-reduction measure for systems awaiting a patched kernel, there are documented temporary mitigations that disable the vulnerable kernel crypto interface, such as preventing the algif_aead module from loading. These steps remove the user-accessible attack surface required to exploit the flaw but do not eliminate the underlying kernel bug and may impact workloads that rely on kernel-accelerated cryptography. Applying vendor patches and rebooting remains the only complete remediation.

Note that kernel version numbers alone are not sufficient to determine exposure. Linux vendors frequently backport security fixes into older kernel versions without changing the visible version string. As a result, two systems reporting the same kernel version may differ in vulnerability status. Exposure depends on whether the system is running a vendor-patched kernel for CVE-2026-31431 and has been rebooted into that kernel, not on the version number alone.

From a detection perspective, Field Effect MDR provides coverage for anomalous curl execution, which is relevant given that publicly available POC tooling for Copy Fail retrieves and executes exploit code directly from remote sources. This activity often appears as short-lived privilege escalation followed by command execution consistent with post-exploitation behavior.  Endpoint Detection and Response (EDR) detections have also been added to identify suspicious post-exploitation activity aligned with local privilege escalation workflows.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up