Linux Kernel CVE-2026-31431 Root Escalation Vulnerability

CVE-2026-31431, dubbed “Copy Fail”, is a high‑severity Linux kernel local privilege escalation in the algif_aead crypto socket interface that lets any local user gain root on most Linux systems built since 2017. With a public PoC, Added it to the Known Exploited Vulnerabilities (KEV) catalog, giving federal agencies until May 15, 2026, to patch or mitigate under BOD 22‑01.

Disclosed CVE-2026-31431 as a logic flaw in the Linux kernel’s algif_aead module, the AEAD interface of the AF_ALG userspace crypto API. The bug stems from a 2017 in‑place performance optimization that incorrectly handles resource transfer between memory “spheres,” leading to controlled corruption of page‑cache data.

The vulnerability is categorized under CWE‑699 (Other Injection/Resource Transfer Issues) and CWE‑669 (Incorrect Resource Transfer Between Spheres), with a CVSS v3 base score reported around 7.8 (High).

It affects a wide range of mainstream Linux distributions that shipped kernels derived from the vulnerable code path between 2017 and the upstream fix committed in early April 2026.

Linux Kernel ‘Copy Fail’ Bug

In 2017, a kernel change (commit 72548b093ee3) modified algif_aead.c to perform AEAD operations in‑place, reusing the same buffer for source and destination data to squeeze out performance gains.

During decryption, the code copies associated data (AAD) and ciphertext from the TX scatter‑gather list into the RX buffer, but chains the authentication tag pages by reference using sg_chain(), then sets req->src = req->dst.

This design allows page‑cache pages, introduced via splice(), to be treated as writable elements in the destination scatter‑gather list, even though they back read‑only files such as setuid binaries.

When the authencesn code writes the authentication tag at dst[assoclen + cryptlen], it can overflow into these chained pages, corrupting arbitrary bytes in the cached backing file image.

From an attacker’s perspective, this yields a controlled 4‑byte page‑cache write primitive against any readable, page‑cache‑backed file, including setuid executables. A local unprivileged user can:

Open a target setuid binary /usr/bin/su for reading.
Use splice() to map its file‑backed pages into the AF_ALG tag buffer.
Trigger AEAD decrypt operations via algif_aead with crafted lengths to overwrite specific offsets in the cached binary.

Because the corruption occurs in the page cache rather than on disk, the attacker bypasses file system integrity checks, avoids generating write I/O, and often evades EDR or inotify‑based monitoring. Repeated requests can patch multiple offsets, enabling the attacker to flip instructions or security checks in the setuid binary and then execute it to obtain a root shell.

Affected Versions and Impact

CERT‑EU and other advisories note that CVE-2026-31431 affects multiple long‑term and stable kernel lines, including series such as 4.14, 5.10, 5.15, 6.1, 6.6, 6.12, 6.18, 6.19, and 7.0 that incorporated the in‑place optimization.

Vendors are backporting the upstream fix, so the exact affected and fixed sub‑versions vary by distribution; administrators must refer to their distro’s security advisories to confirm exposure.

The vulnerability’s impact is classified as local privilege escalation (LPE): any authenticated user or compromised low‑privilege service can leverage Copy Fail to escalate to root, potentially achieving full system takeover.

Given its reliability (no race conditions, no need for a valid tag), its broad kernel coverage, and the availability of a public PoC exploit script, multiple security vendors and CERTs expect this bug to become a favored post‑compromise vector.

While there is not yet public confirmation of widespread ransomware adoption, CISA has added CVE-2026-31431 to its Known Exploited Vulnerabilities catalog, strongly implying observed or anticipated exploitation in the wild.

Under BOD 22‑01, U.S. federal civilian agencies must remediate all instances of this vulnerability by the enforced due date (May 15, 2026), either by patching or applying documented mitigations.

Mitigation

Upstream kernel maintainers resolved the issue by reverting algif_aead to out‑of‑place operation, removing the in‑place optimization and copying associated data directly, so that tag writes no longer touch page‑cache‑backed pages.

Fixes are present in the mainline commit a664bf3d603d and have been backported to stable releases such as 6.18.22, 6.19.12, as well as to equivalent vendor kernels.

For organizations, the primary remediation is:

Patch the kernel:
- Apply your distribution’s security updates that reference CVE-2026-31431 or the Copy Fail LPE.
- Reboot affected hosts to load the patched kernel, verifying versions against vendor advisories or uname -r output.

Where immediate patching is not feasible, security teams can deploy mitigations:

Turn off the vulnerable crypto interface by blocklisting algif_aead and unloading the module:
- echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
- rmmod algif_aead
  This breaks AF_ALG AEAD interfaces but removes the exploit path.
Restrict local access and harden multi‑user and shared compute environments (VDI, CI runners, jump hosts) where untrusted users can run code, as Copy Fail requires local execution capabilities.
Monitor for suspicious AF_ALG and splice() usage patterns, especially on systems where algif_aead should not be used legitimately.

Under BOD 22‑01, agencies must inventory all affected assets, prioritize remediation of KEV‑listed vulnerabilities, such as CVE-2026-31431, and document exceptions for systems that cannot be patched, applying compensating controls, such as network isolation.

A mature, “KEV‑first” rapid-remediation workflow covering detection, patch validation, change control, and operational rollout is critical given the short remediation window.

Copy Fail (CVE-2026-31431) is a Linux kernel local privilege escalation in algif_aead that abuses incorrect resource transfer between memory spheres to corrupt page‑cache data in setuid binaries.
The flaw affects most mainstream Linux distributions shipped since 2017 and has a reported CVSS score of 7.8, making it a high‑priority kernel security issue.
A public PoC exploit reliably delivers root access for any local user without disk writes or race conditions, significantly lowering the barrier to exploitation for threat actors.
Kernel updates reverting algif_aead to out‑of‑place operation are available, and administrators should patch immediately or disable algif_aead to meet BOD 22‑01 deadlines and reduce attack surface.

FAQ

Q1. What is CVE-2026-31431 (Copy Fail) in the Linux kernel?

CVE-2026-31431 is a high‑severity Linux kernel local privilege escalation in the algif_aead crypto interface that lets local users gain root by corrupting page‑cache‑backed files.

Q2. Which Linux versions are vulnerable to Copy Fail?

Kernels that include the 2017 algif_aead in‑place optimization covering many 4.14, 5.x, 6.x, and early 7.0 releases used by mainstream distributions are vulnerable until patched.

Q3. How can administrators mitigate CVE-2026-31431 if they cannot patch immediately?

Admins can temporarily mitigate by disabling and unloading the algif_aead module, restricting untrusted local code execution, and monitoring for abnormal AF_ALG and splice() use.

Q4. Why is CVE-2026-31431 listed in CISA’s Known Exploited Vulnerabilities catalog?

CISA added CVE-2026-31431 to the KEV catalog due to its broad impact, a reliable public exploit, and observed or expected exploitation, setting a May 15, 2026, remediation deadline under BOD 22‑01.

Site: thecybrdef.com

For more insights and updates, follow us on Google News, Twitter, and LinkedIn.