Security researchers at Theori have disclosed a high-severity local privilege escalation (LPE) vulnerability (CVE-2026-31431) in the Linux kernel.
The flaw, nicknamed “Copy Fail”, has affected virtually every major Linux distribution shipped since 2017, and a working proof-of-concept (PoC) exploit is publicly available.
About CVE-2026-31431
According to Theori researchers, CVE-2026-31431 originates from the interaction of three reasonable kernel changes made over several years: the addition of authencesn (an AEAD cryptographic wrapper used by IPsec) in 2011, the introduction of AF_ALG AEAD socket support in 2015, and an in-place optimization added to algif_aead.c in 2017.
It’s a logic bug in the authencesn cryptographic template and allows an unprivileged local user to write 4 controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root.
The technical write-up is more detailed, of course.
The good news is that CVE-2026-31431 exploitation requires local code execution as a regular user, which means that, by itself, it can’t be exploited remotely. But “chain it with anything that gives you that (web RCE landing in an unprivileged service account, an SSH foothold, a malicious PR on a CI runner) and you’re root,” the researchers pointed out.
The bad news is that unlike the Dirty Cow and Dirty Pipe Linux kernel LPE vulnerabilities, Copy Fail can be exploited without having to win a race condition, and the same exploit will work on many systems.
What to do?
CVE-2026-31431 affects every Linux distribution that uses a kernel that has been released since 2017.
The exploit script is tiny, doesn’t rely on additional software being installed, will work on almost all Linux distributions released since 2017, will work each time it’s run on a vulnerable system, doesn’t change files on disk and won’t be flagged by tools that monitor files for tampering, leaves no forensic trace on disk and, finally, it can break out of container isolation.
For all of these reasons, the researchers advise admins to prioritize patching the vulnerability on multi-tenant Linux systems, CI runners, cloud SaaS running user code, and container clusters first, and then on standard Linux servers and single-user workstations:
CopyFail patching prioritization (Source: Theori)
The researchers verified that Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16 are vulnerable. Openwall Project founder Alexander Peslyak (aka Solar Designer) confirmed that the exploit provided worked on Rocky Linux 9.7.
Linux distros have been notified of the existence of the vulnerability in advance, they say, and some have already released kernel packages that include the commit that patched it.
Admins/users who, for whatever reason, can’t update their distribution’s kernel package, can temporarilty mitigate the risk by:
- Blocking AF_ALG socket creation via seccomp, or
- Blacklisting the algif_aead module.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
