top of page
perceptive_background_267k.jpg

New Linux ‘Copy Fail’ flaw gives hackers root on major distros

Published:

30 april 2026 om 13:54:47

Alert date:

30 april 2026 om 14:01:10

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Operating Systems, Zero-Day Vulnerabilities

A local privilege escalation vulnerability dubbed 'Copy Fail' affects Linux kernels released since 2017. The flaw allows unprivileged local attackers to gain root permissions on major Linux distributions. An exploit has been published for this vulnerability, making it a high-priority security concern for Linux systems. The vulnerability impacts multiple major Linux distributions and has been present in kernels for several years, indicating a wide attack surface.

Technical details

Copy Fail (CVE-2026-31431) is a logic bug in the Linux kernel's cryptographic template that allows an authenticated user to perform a 4-byte write into the page cache of any readable file on the system. The vulnerability combines the AF_ALG socket-based interface with the splice() system call to make controlled writes to the page cache instead of normal buffer. If these 4 bytes hit a setuid-root binary, they can alter its behavior when executed, giving the attacker root privileges. The flaw was introduced in 2017 when Linux kernel team added an 'in-place' optimization to the crypto path, reusing the same buffer rather than keeping input and output separate.

Mitigation steps:

Update to patched Linux kernel versions 6.18.22, 6.19.12, or 7.0
As interim mitigation, disable the vulnerable crypto interface to block AF_ALG socket creation
Disable the algif_aead module using: echo 'install algif_aead /bin/false' > /etc/modprobe.d/disable-algif.conf
Remove algif_aead module: rmmod algif_aead
Prioritize patching for multi-tenant Linux hosts, Kubernetes/container clusters, CI runners/build farms, and cloud SaaS running user code

Affected products:

Linux kernel versions released since 2017
Ubuntu 24.04 LTS
Amazon Linux 2023
RHEL 10.1
SUSE 16
Fedora 42
Linux kernel versions 6.18.22
Linux kernel versions 6.19.12
Linux kernel version 7.0
Linux kernel version 4.14

Related links:

https://xint.io/blog/copy-fail-linux-distributions
https://copy.fail/
https://www.bleepingcomputer.com/news/security/new-linux-bug-gives-root-on-all-major-distros-exploit-released/
https://nvd.nist.gov/vuln/detail/CVE-2026-31431
https://www.openwall.com/lists/oss-security/2026/04/29/23
http://infosec.exchange/@wdormann/116493725294723695

Related CVE's:

Related threat actors:

IOC's:

732-byte Python-based exploit script, AF_ALG socket-based interface usage, splice() system call exploitation, algif_aead module exploitation

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page