CVE-2026-31431
BaseFortify
Publication date: 2026-04-22
Last updated on: 2026-05-06
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| suse | suse_linux | * |
| canonical | ubuntu_linux | * |
| amazon | amazon_linux | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-669 | The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31431, also known as "CopyFail," is a local privilege escalation vulnerability in the Linux kernel's cryptographic subsystem, specifically involving the algif_aead module. The vulnerability arises from an in-place optimization in the kernel's AEAD (Authenticated Encryption with Associated Data) implementation that incorrectly allows page-cache-backed file pages to be included in writable scatterlists. This flaw enables an unprivileged local user to perform a controlled 4-byte write into the page cache of any readable file, such as setuid binaries like /usr/bin/su or critical system files like /etc/passwd, without modifying the on-disk file.
The exploit works by using AF_ALG sockets combined with the splice() system call to pass file-backed pages into the crypto subsystem, triggering memory corruption in the page cache. This corruption is transient but immediately exploitable, allowing attackers to escalate privileges to root by corrupting in-memory copies of setuid binaries or user account files. The vulnerability affects Linux kernels built between 2017 and the patch release in 2026 and impacts most mainstream Linux distributions.
The root cause is a flawed optimization that attempts to operate in-place on cryptographic data, which was reverted in the patch to operate out-of-place, separating source and destination mappings to prevent writable page-cache pages. The vulnerability was discovered using AI-driven audit tools and publicly disclosed in April 2026.
How can this vulnerability impact me? :
This vulnerability allows any unprivileged local user on a vulnerable Linux system to escalate their privileges to root. This means an attacker who already has some form of local accessβsuch as a low-privileged user account or access through a containerβcan exploit this flaw to gain full administrative control over the system.
The exploit can corrupt in-memory copies of critical setuid binaries or system files, enabling attackers to spawn root shells or modify user account privileges without altering the files on disk. This can lead to complete system compromise, including unauthorized access to sensitive data, installation of persistent backdoors, or disruption of system operations.
Environments particularly at risk include multi-tenant hosts, Kubernetes clusters, continuous integration runners, cloud SaaS platforms, and standard servers where multiple users or containers share the same kernel. The vulnerability also enables container escapes because the page cache is shared across container boundaries.
Mitigation requires patching the kernel or disabling the vulnerable algif_aead module, which has minimal impact on most systems unless they explicitly use AF_ALG cryptographic interfaces.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2026-31431 involves identifying if the vulnerable kernel module 'algif_aead' is loaded or available on the system, as exploitation requires local access and use of the AF_ALG socket interface. Since the vulnerability is local and kernel-based, network detection is not applicable.
You can check if the vulnerable module is loaded by running the command:
- lsmod | grep algif_aead
To check if the module is available but not loaded:
- modinfo algif_aead
Additionally, since the exploit uses AF_ALG sockets and the splice() system call, monitoring for unusual usage of AF_ALG sockets or suspicious local processes invoking these interfaces may help detect exploitation attempts.
There is a publicly available proof-of-concept Python script named 'copy_fail_exp.py' (Resource 1) that can be used to test if a system is vulnerable by attempting the exploit in a controlled environment.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps for CVE-2026-31431 include patching the Linux kernel to a version that includes the fix (mainline commit a664bf3d603d or later). This is the most effective way to eliminate the vulnerability.
If patching is not immediately possible, you can disable the vulnerable kernel module 'algif_aead' to prevent exploitation. This can be done by creating a configuration file such as '/etc/modprobe.d/disable-algif.conf' with the content:
- install algif_aead /bin/false
Then, unload the module if it is currently loaded:
- rmmod algif_aead
Disabling this module has minimal impact on most systems unless they explicitly use AF_ALG-based cryptographic operations, such as OpenSSL with the afalg engine.
Additionally, restricting untrusted users from creating AF_ALG sockets or limiting local user access can reduce the risk of exploitation.
Finally, monitor your systems for suspicious activity related to AF_ALG socket usage and privilege escalation attempts.