[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fuoCgqhdwW7P810OdRYNWZbkiXHRxjEUXk21uzTIxdmQ":3},{"article":4,"iocs":39},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"838e9cab-41f4-44bd-8ce5-4473b88947e8","Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years","copy-fail-what-you-need-to-know-about-the-most-severe-linux-threat-in-years-89c04a","Copy Fail (CVE-2026-31431) is a critical Linux kernel LPE that allows stealthy root access. This flaw impacts millions of systems. Read our analysis.","CVE-2026-31431 (Copy Fail) is a deterministic local privilege escalation vulnerability in the Linux kernel's cryptographic subsystem affecting versions 4.14–6.19.12. The flaw stems from a 2017 in-place optimization bug in the algif_aead module that allows attackers to write four controlled bytes into the kernel's file page cache, enabling them to corrupt setuid-root binaries in memory and gain root access without leaving traces on disk. This impacts millions of systems running Ubuntu, RHEL, Debian, SUSE, and other major distributions, with particular severity for Kubernetes containers and multi-tenant hosts.","Critical Linux kernel LPE vulnerability CVE-2026-31431 allows unprivileged local attackers to escalate to root across","Threat Research CenterHigh Profile ThreatsVulnerabilities Vulnerabilities Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years 6 min read Related ProductsCortexCortex CloudCortex XDRCortex XSIAMUnit 42 Incident Response By:Justin Moore Published:May 5, 2026 Categories:High Profile ThreatsVulnerabilities Tags:ContainersCVE-2026-31431KubernetesLinuxLocal privilege escalationPage cacheVulnerability Share Executive Summary On April 29, 2026, researchers publicly disclosed a highly reliable local privilege escalation (LPE) vulnerability tracked as CVE-2026-31431. This vulnerability is commonly referred to as Copy Fail. Discovered in about an hour through an AI-assisted process, this logic flaw allows an unprivileged local attacker to consistently escalate their access to root across virtually all major Linux distributions released since 2017. Unlike many kernel vulnerabilities, this logic flaw is deterministic, meaning it does not rely on race conditions or specific kernel offsets. A single 732-byte Python script can successfully exploit it without any modification across different Linux distributions. The vulnerability originates in the Linux kernel's cryptographic subsystem, specifically within the algif_aead module of the AF_ALG interface (a user space crypto API). Rather than a single coding error, the flaw resulted from a combination of three independent updates: The addition of the authencesn algorithm in 2011 The AF_ALG interface gaining AEAD support in 2015 A fatal in-place optimization introduced in 2017 During cryptographic operations, an in-place optimization bug causes the algorithm to use the destination buffer improperly, writing four controlled bytes past the legitimate region directly into the system's file page cache. Impacted versions include Linux kernels between 4.14 and 6.19.12. This vulnerability affects millions of systems running mainstream distributions such as Ubuntu, Amazon Linux, Red Hat Enterprise Linux, Debian, SUSE and AlmaLinux. An attacker with standard local access can exploit this vulnerability to maliciously modify the in-memory cache of privileged executable files (like su or sudo) without alerting integrity checks, as the physical files on disk remain unchanged. Because the kernel and its page cache are shared across an entire node, this flaw allows attackers to: Easily break out of Kubernetes containers Overtake multi-tenant hosts Compromise continuous integration and continuous delivery (CI\u002FCD) pipelines We strongly urge organizations to patch their systems immediately by applying vendor-issued kernel updates. Palo Alto Networks customers receive protections from and mitigations for CVE-2026-31431 through the following products: Cortex Cloud Cortex XDR and XSIAM The Linux Foundation has posted an advisory with mitigation details for CVE-2026-314331. Palo Alto Networks highly recommends applying vendor-issued kernel updates immediately. If this option is not feasible, we recommend following interim mitigation guidance to disable the vulnerable module until patches can be applied. The Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk. Vulnerabilities Discussed CVE-2026-31431 Details of CVE-2026-31431 The vulnerability tracked as CVE-2026-31431, known as Copy Fail, is a deterministic logic flaw located in the Linux kernel's cryptographic subsystem, specifically within the algif_aead module of the AF_ALG interface. The Root Cause The flaw originates from a buggy in-place optimization introduced to the Linux kernel in 2017 (commit 72548b093ee3) for AEAD encryption. This 2017 in-place optimization specifically caused req->src and req->dst to point to a combined scatterlist. Because of this, the page cache pages from the splice() call were improperly chained directly into the writable destination scatterlist. During cryptographic operations, the authencesn algorithm improperly uses the caller's destination buffer as a scratch pad. Because of this, it writes four controlled bytes past the legitimate output region, crossing a chained scatterlist boundary, and fails to restore them. The patch (commit a664bf3d603d) fixes this by reverting the module to out-of-place operation, separating the source and destination scatterlists so that the page cache pages remain strictly in the read-only source. Mechanism of Action An unprivileged attacker can exploit this memory handling error by misusing the interaction between the AF_ALG socket interface and the splice() system call. When splice() hands page-cache pages into the crypto subsystem, the vulnerability allows the attacker to direct that four-byte overwrite straight into the kernel's file page cache. The authencesn algorithm is used for IPsec extended sequence number (ESN) support and uses the destination buffer as a scratch pad to rearrange these sequence numbers. The attacker controls the exact four-byte overwrite value by supplying the seqno_lo (the low half of the sequence number) inside bytes 4–7 of the Associated Authenticated Data (AAD) during the sendmsg() call. Exploitation Via the Page Cache The page cache is the temporary in-memory copy of a file that the kernel reads when it loads a binary for execution. An attacker can leverage the four-byte overwrite to target the page cache of any readable setuid-root binary, such as \u002Fusr\u002Fbin\u002Fsu, sudo or passwd. The attacker controls exactly where the overwrite happens by manipulating the splice offset, the splice length and the assoclen (associated length) parameters. This allows them to specifically target the .text section of a setuid binary like \u002Fusr\u002Fbin\u002Fsu to inject their shellcode. Privilege escalation: Modifying the cached copy of the binary alters its execution context. When the binary is executed, it grants the attacker superuser (UID 0) privileges, effectively breaking the kernel's trust boundaries. Stealth: Because this corruption occurs entirely in the system's RAM, the physical file on the disk remains completely unmodified. This bypasses traditional virtual file system (VFS) paths and file integrity monitoring tools. Once the page is evicted from memory or the system reboots, the cache reloads clean from the disk, leaving no trace of the compromise. Exploit Characteristics What makes Copy Fail exceptionally severe compared to previous Linux LPE vulnerabilities like Dirty Cow or Dirty Pipe is its reliability and simplicity: No race conditions or offsets: It is a straight-line logic flaw that does not rely on winning a race condition window or guessing kernel-specific memory offsets. 100% reliability: The exploit is deterministic and fires successfully on the first attempt. High portability: The exploit can be executed using a standalone 732-byte Python script that relies solely on standard libraries (os, socket, zlib), meaning no compilation or external dependencies are required. This same script works unmodified across virtually all major Linux distributions shipped since 2017. Interim Guidance for CVE-2026-31431 The vulnerability has been resolved in upstream Linux kernel stable branches by reverting the flawed 2017 optimization (commit a664bf3d603d). If immediate patching is not possible, administrators should implement an interim mitigation by disabling the affected algif_aead module. This can be accomplished by running the following commands as root to block the module's loading and remove it from the kernel: echo \"install algif_aead \u002Fbin\u002Ffalse\" > \u002Fetc\u002Fmodprobe.d\u002Fdisable-algif.conf rmmod algif_aead The Linux Foundation has posted an advisory with mitigation details for CVE-2026-314331. Unit 42 Managed Threat Hunting Queries The Unit 42 Managed Threat Hunting team continues to track any attempts to exploit this CVE across our customers, using Cortex XDR and the XQL queries below. Cortex XDR customers can also use these XQL queries to search for signs of exploitation. \u002F\u002F Title: CopyFail Detection via Non-root ","https:\u002F\u002Fbit.ly\u002F4cTVWgs","https:\u002F\u002Forigin-unit42.paloaltonetworks.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002F05_Vulnerabilities_1920x900-2-1.jpg","2026-05-05T23:20:07+00:00","2026-05-06T00:00:10.753+00:00",9,[18,21,23,26,28,30],{"name":19,"type":20},"Linux kernel","technology",{"name":22,"type":20},"AF_ALG interface",{"name":24,"type":25},"Ubuntu","product",{"name":27,"type":25},"Red Hat Enterprise Linux",{"name":29,"type":25},"Kubernetes",{"name":31,"type":32},"Palo Alto Networks","vendor","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":33,"icon":35,"name":36,"slug":37},null,"Vulnerabilities","vulnerabilities",[],[40],{"type":41,"value":42,"context":43},"cve","CVE-2026-31431","Critical Linux kernel local privilege escalation vulnerability in algif_aead module"]