Security Advisory 2026-005
CVE-2026-31431, dubbed 'Copy Fail', is a CVSS 7.8 local privilege escalation vulnerability in the Linux kernel's algifaead module affecting kernels built since 2017. By chaining an AFALG socket operation with splice(), an unprivileged local user can overwrite page-cache-backed pages, such as setuid binaries, to obtain root privileges. With a public PoC available and vendor patches pending, immediate mitigation via module disabling or seccomp filtering is critical.
Authors: CERT-EU
Source:
CERT-EU
Detection / Hunter
What Happened
A severe security flaw called 'Copy Fail' has been discovered in the core component (kernel) of most Linux operating systems released since 2017. This vulnerability affects servers, container environments, and standard Linux installations. It matters because it allows a regular, unprivileged user on the system to gain full administrative (root) control, and a blueprint for exploiting this flaw is already public while official updates are not yet available. Administrators should immediately apply the recommended temporary fixes, such as disabling the vulnerable 'algif_aead' module or restricting access in container environments, until official patches are released.
Key Takeaways
- CVE-2026-31431 ('Copy Fail') is a high-severity local privilege escalation vulnerability in the Linux kernel affecting distributions built since 2017.
- A public proof-of-concept exploit is available, but no vendor patches have been released as of April 30, 2026.
- The flaw resides in the algif_aead module and allows arbitrary 4-byte writes to page-cache-backed pages, enabling root access by targeting setuid binaries.
- Immediate mitigation involves disabling the algif_aead kernel module or blocking AF_ALG sockets via seccomp policies.
Affected Systems
- Linux distributions with kernels built since 2017
- Ubuntu 24.04 LTS (6.17.0-1007-aws)
- Amazon Linux 2023 (6.18.8-9.213.amzn2023)
- RHEL 10.1 (6.12.0-124.45.1.el10_1)
- SUSE 16 (6.12.0-160000.9-default)
- Debian
- Arch Linux
- Fedora
- Rocky Linux
- AlmaLinux
- Oracle Linux
- Kubernetes nodes
- CI/CD runners
Vulnerabilities (CVEs)
- CVE-2026-31431
Attack Chain
An unprivileged local attacker initiates the exploit by opening an AF_ALG socket to interact with the kernel's userspace crypto API. The attacker then chains this socket operation with the splice() system call. Due to a flaw in the algif_aead module, this allows the attacker to perform a controlled 4-byte write to an arbitrary page-cache-backed page. By targeting a setuid binary like /usr/bin/su, the attacker overwrites critical instructions or data, subsequently executing the modified binary to obtain a root shell.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: Yes
- Platforms: Native OS commands
The advisory provides a native Linux command (lsof) to assess exposure by checking for active AF_ALG sockets.
Detection Engineering Assessment
EDR Visibility: Medium — EDR may not see the specific kernel-level splice() manipulation, but might detect the subsequent anomalous execution of modified setuid binaries or unexpected root shell spawning from an unprivileged process. Network Visibility: None — This is a purely local privilege escalation vulnerability with no network component described. Detection Difficulty: Hard — Detecting the exact exploitation requires deep system call monitoring (e.g., tracking splice() combined with AF_ALG sockets), which is noisy and rarely logged by default. Detection relies heavily on post-exploitation behavior.
Required Log Sources
- Process Execution Logs
- System Call Logs (auditd)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for unprivileged processes unexpectedly spawning root shells or modifying known setuid binaries like /usr/bin/su. | Process execution events (e.g., auditd execve) and file modification events. | Privilege Escalation | Low |
| Monitor for unusual usage of the AF_ALG socket family by processes that do not typically perform cryptographic operations. | System call logs (auditd monitoring socket creation). | Execution | Medium |
Control Gaps
- Lack of seccomp profiles in containerized environments
- Unpatched Linux kernels
Key Behavioral Indicators
- Unexpected modification of page-cache-backed setuid binaries
- Anomalous root shell execution from standard user contexts
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Disable the algif_aead kernel module persistently using modprobe configuration.
- Unload the algif_aead module from running kernels using rmmod.
- Block AF_ALG socket creation via seccomp policies on all containerized workloads and pipelines.
Infrastructure Hardening
- Apply vendor-provided kernel updates as soon as they become available.
- Prioritize patching and mitigation on Kubernetes nodes and CI/CD runners exposed to untrusted workloads.
User Protection
- N/A
Security Awareness
- N/A
MITRE ATT&CK Mapping
- T1068 - Exploitation for Privilege Escalation
- T1548.001 - Abuse Elevation Control Mechanism: Setuid and Setgid
Additional IOCs
- Urls:
hxxps://copy[.]fail- Researcher advisory and details for the Copy Fail vulnerability
- File Paths:
/etc/modprobe.d/disable-algif.conf- Configuration file used to persistently disable the vulnerable algif_aead module/usr/bin/su- Example setuid binary targeted by the exploit to gain root privileges
- Command Lines:
- Purpose: Assess exposure to AF_ALG socket usage | Tools:
lsof,grep| Stage: Discovery |lsof | grep AF_ALG - Purpose: Disable algif_aead kernel module persistently | Tools:
echo,modprobe| Stage: Mitigation |echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf - Purpose: Remove algif_aead module from running kernel | Tools:
rmmod| Stage: Mitigation |rmmod algif_aead
- Purpose: Assess exposure to AF_ALG socket usage | Tools: