Linux Kernel 0‑Day “Copy Fail” (CVE‑2026‑31431)

-

 



What is “Copy Fail”?

Copy Fail is a high‑severity Linux kernel local privilege‑escalation (LPE) zero‑day vulnerability disclosed publicly on April 29–30, 2026 and tracked as CVE‑2026‑31431. ]

It allows any unprivileged local user to gain full root access on essentially every major Linux distribution released since 2017, using a tiny (≈732‑byte) Python exploit that works unchanged across distributions.

Root Cause (Technical Summary)

The bug is a logic flaw, not a race condition.

It lives in the Linux kernel’s cryptographic userspace API—specifically:

  • algif_aead.c
  • the AEAD (Authenticated Encryption with Associated Data) socket interface (AF_ALG)
  • the authencesn crypto template

A 2017 optimization allowed kernel operations to run in place on page‑cache memory. When combined with:

  • an AF_ALG socket
  • the splice() system call

…the kernel can be manipulated into performing a controlled 4‑byte write directly into page‑cache memory belonging to any readable file

Because page cache is what the kernel uses when executing binaries, modifying it is effectively the same as modifying the file—without touching disk.

Why This Is Dangerous

Copy Fail is considered unusually serious for several reasons:

 No race condition

Unlike Dirty COW or Dirty Pipe, this exploit is deterministic and reliable every run.  

 Tiny, portable exploit

A short Python script works on:

  • Ubuntu
  • RHEL / Rocky / Alma
  • Amazon Linux
  • SUSE
  • Debian, Fedora, Arch (implicitly affected)

No kernel offsets, no recompiling, no tuning required. 

 Stealthy (no disk changes)

Only RAM page cache is altered:

  • The on‑disk binary remains unchanged
  • File integrity monitoring, hashes, and forensic disk scans show nothing.  

 Container escape primitive

Page cache is shared across the host kernel, meaning:

  • A compromised container can modify cached setuid binaries
  • This can break out into the host or other containers
    This is critical for Kubernetes, CI runners, and multi‑tenant systems.

What an Attack Looks Like (High Level)

  1. Attacker has any local code execution (user account, CI job, compromised service).
  2. Uses an AF_ALG socket and splice() to trigger the flaw.
  3. Writes 4 bytes into the cached memory of a setuid binary (e.g. /usr/bin/su).
  4. Executes the binary → gains root shell.
  5. Reboot clears evidence.

Affected Systems

  • All Linux kernels built since 2017 (≈ kernel 4.14+)
  • All major distros unless explicitly patched.

Notably affected:

  • Ubuntu 20.04–24.04
  • Amazon Linux 2023
  • RHEL / Rocky / Alma / Oracle
  • SUSE
  • Debian / Fedora / Arch

Patch & Mitigation Status (as of Apr 30, 2026)

  • Upstream fix committed: April 1, 2026
    (Reverts the unsafe 2017 optimization)
  • Vendor patches: Rolling out; availability varies by distro
  • Public PoC: Available

Interim mitigations (if you cannot patch immediately):

  • Restrict or audit AF_ALG socket usage
  • Limit execution of untrusted code
  • Prioritize patching:
    1. Kubernetes nodes
    2. CI/CD runners
    3. Multi‑tenant systems

Why Security Professionals Are Alarmed

Bugcrowd and others note that Copy Fail combines properties that rarely appear together:

  • Universal
  • Reliable
  • Small
  • Cross‑container
  • Stealthy

This is the type of primitive that historically sold for six figures on exploit markets.

Bottom Line

Copy Fail is one of the most severe Linux local privilege‑escalation vulnerabilities ever disclosed.
If an attacker can run anything as a normal user, they can become root—quietly and reliably.

Patch immediately when vendor updates become available, and treat untrusted workloads as high risk until then.

If you want, I can:

  • Check your distro’s patch status
  • Explain detection options
  • Map this to CIS / compliance impact
  • Break down exploit mechanics in more depth

Popular posts from this blog

WSUS CVE-2025-59287 Mitigation

-
Image
CVE-2025-59287 is a critical Remote Code Execution (RCE) vulnerability affecting Windows Server Update Services (WSUS) . Here's a detailed breakdown of what it is, how it works, and what you should do about it: Overview Disclosed: October 2025 Patch Tuesday CVSS Score: 9.8 (Critical) Affected Systems: Windows Server 2012 through 2025 (including Server Core installations) Exploitability: Microsoft rates it as “Exploitation More Likely” Technical Details The vulnerability arises from unsafe deserialization of untrusted data in WSUS. Specifically, the GetCookie() endpoint in WSUS processes encrypted AuthorizationCookie objects without proper type validation. The deserialization occurs via .NET BinaryFormatter , which is known to be insecure when handling untrusted input. Attackers can send a crafted SOAP request to WSUS over port 8530 , containing a malicious AuthorizationCookie . The cookie is decrypted using a hardcoded AES key and then deserialized, allow...
Read more

Cloud Infrastructures are Having a Bad Week

-
Image
  Today’s disruptions across Microsoft Azure and Amazon Web Services (AWS) were significant, but they’re not signs of cloud computing’s demise. Instead, they underscore the risks of centralization and the importance of designing systems that can withstand provider-level failures. What happened today? • Microsoft Azure outage: Azure’s Front Door service suffered a major disruption due to a misconfiguration, impacting services like Outlook, Xbox, Microsoft 365, and even third-party platforms like Starbucks and Alaska Airlines. The Azure website states a little more than disruption. "Azure Front Door - Connectivity issues - Observing recovery Starting at approximately 16:00 UTC on 29 October 2025, customers and Microsoft services leveraging Azure Front Door (AFD) may have experienced latencies, timeouts, and errors. We have confirmed that an inadvertent configuration change was the trigger event for this issue. Affected Azure services may have included, but were not limited to: App S...
Read more

CVE-2025-58034 Fortinet Warnings and Mitigation

-
Image
Type: OS Command Injection vulnerability (CWE-78) Affected Product: Fortinet FortiWeb (Web Application Firewall) Affected Versions: 8.0.0 – 8.0.1 7.6.0 – 7.6.5 7.4.0 – 7.4.10 7.2.0 – 7.2.11 7.0.0 – 7.0.11 [nvd.nist.gov] , [cvedetails.com] Description The vulnerability is caused by improper neutralization of special elements used in OS commands . An authenticated attacker can exploit this flaw by sending crafted HTTP requests or CLI commands , allowing them to execute arbitrary code on the underlying system. This can compromise the integrity, confidentiality, and availability of the device. [nvd.nist.gov] , [cvedetails.com] Severity CVSS v3.1 Base Score: 7.2 (High) Vector: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Impact: High on Confidentiality, Integrity, and Availability [cvedetails.com] Exploitation Status Actively Exploited: Yes. Fortinet confirmed expl...
Read more