Secure ISS
NewsThreats
R

News

Linux Kernel “Copy Fail” Local Privilege Escalation Vulnerability

Overview

  • CVE: CVE-2026-31431

  • Severity: High

  • CVSS: 7.8

  • Published: 30 April 2026

  • Affected Product: Linux kernel

A critical vulnerability dubbed “Copy Fail” has been disclosed in the Linux kernel cryptographic subsystem. The flaw allows local privilege escalation to root by exploiting a logic issue in the kernel’s crypto API. Given the simplicity of exploitation and broad impact across distributions, environments running shared systems or containers may face elevated risk.


Affected Versions

  • Linux kernel versions across major distributions released since 2017


Vulnerability Breakdown

CVE-2026-31431 - Page cache write leading to local privilege escalation

  • Severity: High

  • CVSS: 7.8

  • Description: Copy Fail is a logic flaw in the Linux kernel crypto API. By chaining AF_ALG with splice() and authencesn decryption, an attacker can trigger a controlled four-byte write into the page cache of any readable file.

  • Impact: An unprivileged local user may be able to tamper with a setuid binary in memory and escalate to root. In shared-kernel environments, the same primitive may also support container escape and node compromise.

  • Conditions: Requires local code execution or an unprivileged local account. AF_ALG must be available, and the issue is not remotely exploitable on its own.

  • Notes: Risk is highest on multi-tenant Linux hosts, CI runners, shell boxes and Kubernetes nodes. Single-user workstations are still exposed, but the business impact is usually lower unless another foothold already exists.


Mitigation

  • Apply the latest vendor-supplied kernel update as a priority.

  • Validate that your kernel includes the fix reverting algif_aead to out-of-place operation.

  • Until patching is complete, disable the algif_aead module if operationally safe.

  • For untrusted workloads, block AF_ALG socket creation via seccomp where possible.

  • Prioritise shared Linux infrastructure, container hosts, CI runners and other systems that execute untrusted or tenant-supplied code.

  • Review for recent local footholds, suspicious privilege escalation activity and unauthorised access paths.


Summary for IT Teams

  • Products: Linux kernel

  • Threat Level: High, CVSS 7.8

  • Action Required: Patch affected kernels urgently, apply temporary AF_ALG mitigations where required, and prioritise shared Linux environments where a limited foothold could become full host compromise.


Reference

Need Help?

If you need assistance assessing exposure, validating patched versions, or coordinating urgent remediation across internet-facing systems, contact Secure ISS on 1300 769 460.

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.

Contact US

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.

Contact US

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.

Contact US