Alert

CVE-2026-31431 ("Copy Fail"): Critical Linux Privilege Escalation Vulnerability Explained

29 April 2026

CVE-2026-31431 ("Copy Fail") is a Linux kernel vulnerability enabling stealthy privilege escalation to root. Learn about the impact, affected systems, and mitigation steps.

On 29 April 2026, a new Linux kernel vulnerability (CVE-2026-31431), known as "Copy Fail", was publicly disclosed. The vulnerability affects the AF_ALG interface (algif_aead) and allows an unprivileged local user to escalate privileges to root on most modern Linux distributions.

Why this vulnerability is high risk

What makes CVE-2026-31431 particularly dangerous is its stealthy exploitation technique. Attackers can corrupt the page cache of setuid binaries (such as /usr/bin/su) in memory, without modifying the file on disk. This means traditional file-integrity monitoring tools are unlikely to detect compromise.

Although officially rated as "High" (CVSS 7.8), the real-world risk is elevated due to:

  • Publicly available proof-of-concept exploit
  • Reliable exploitation across major Linux distributions
  • No need for architecture-specific adjustments

Affected systems and environments

The vulnerability impacts a wide range of Linux environments, including:

  • Multi-user Linux servers
  • Container hosts (shared kernel and page cache)
  • CI/CD pipelines and build systems
  • Jump servers and shared hosting environments

Containerized platforms are especially at risk, as a local compromise inside a container may escalate into host-level access.

Mitigation and recommended actions

Organizations should act quickly to reduce exposure:

  • Apply vendor kernel patches as soon as available
  • Temporarily blacklist the algif_aead module
  • Restrict AF_ALG socket creation via seccomp or LSM policies
  • Review container runtime security configurations

A growing trend in exploitation

CVE-2026-31431 highlights a broader trend: attackers increasingly exploit shared infrastructure components using techniques that evade traditional detection. Combined with faster weaponization of vulnerabilities, this significantly reduces defender response time.

How DEFION supports response

DEFION helps organizations respond effectively through:

  • Rapid Linux exposure assessments
  • Container security and hardening reviews
  • Threat-informed patch prioritization
  • Detection and validation of privilege-escalation activity

For more information or support, contact the DEFION CSIRT.

Public disclosure was done by Theori (Taeyang Lee), supported by Xint Code on April 29th 2026.

← Back to news