Copy Fail is a high-severity Linux kernel vulnerability that enables local privilege escalation through improper handling within the crypto subsystem. The issue was identified during analysis of the AF_ALG attack surface, where researchers observed that combining AF_ALG with splice allows unprivileged users to pass page cache references from read-only files, including setuid binaries, into kernel crypto operations.

With insight from Taeyang Lee and guided analysis leveraging Theori’s Copy Fail research code, the investigation focused on reachable execution paths and quickly identified this issue as a critical finding. Successful exploitation allows attackers to modify in-memory representations of privileged binaries, resulting in reliable root-level code execution without altering files on disk.

Vulnerability Type (CWE)

CWE-669: Incorrect Resource Transfer Between Spheres Improper handling of data across trust boundaries allows user-controlled input to influence privileged kernel memory, resulting in unintended modification of protected resources and enabling privilege escalation.

CVSS Score (v3.1)

Base Score: 7.8 HIGH

Attack Vector: (AV:L)

Attack Complexity: (AC:L)

Privileges Required: (PR:L)

**User Interaction: (**UI:N)

Scope: (S:U)

Impact on CIA:

• Confidentiality: High (C:H)
• Integrity: High (I:H)
• Availability: High (A:H)

Impacted Versions

The vulnerability affects a broad range of Linux distributions, as the underlying code has been present in kernel versions released since approximately 2017. Given that the affected functionality is enabled by default in most mainstream distributions, systems running kernels from this timeframe should be considered potentially impacted. In addition to vulnerable kernel versions identified across major Linux distributions, certain CloudLinux environments were also observed to be affected. Ubuntu 26.04 (Resolute) is not affected. (Ubuntu, 2026) The versions below represent commonly deployed distributions and platforms where vulnerable kernels have been observed, tested or validated.

Vulnerable Kernels (Kodem Security, 2026)

Vulnerable CloudLinux (Kodem Security, 2026)

This significantly increases risk in environments that rely on shared-kernel multi-tenancy or where workload isolation is incomplete, such as:

• Kubernetes clusters
• CI/CD systems
• Shared development environments
• Cloud notebook platforms
• Multi-tenant container infrastructure

Mitigation Steps

• Apply Kernel Patches Upgrade to a vendor-patched Linux kernel to fully remediate the vulnerability.
• Disable algif_aead Module Prevent loading of the vulnerable crypto interface (e.g., blacklist or unload the module).
• Block at Boot Use initcall_blacklist=algif_aead_init to prevent the module from initializing.
• Restrict AF_ALG Access Limit access to the crypto API for unprivileged users to reduce exposure:

echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf
rmmod algif_aead 2>/dev/null

Warning

The commonly circulated modprobe.d mitigation does not work on certain environments, including CloudLinux, AlmaLinux, and other RHEL-based distributions where algif_aead is compiled directly into the kernel (CONFIG_CRYPTO_USER_API_AEAD=y). In these cases, modprobe.d rules cannot prevent the component from loading, and rmmod cannot remove it, resulting in a false sense of protection while the vulnerable functionality remains active.

Exploit Process (Based on Xint Analysis)

1. Initialize Crypto Socket

• The attacker opens an AF_ALG socket using the Linux kernel crypto API and binds it to an AEAD cipher (authencesn(hmac(sha256),cbc(aes))).
• A key is set, and a request socket is accepted.
• This interface is accessible to unprivileged users by default, requiring no elevated permissions.

2. Prepare Targeted Memory Write

• The exploit targets a setuid-root binary such as /usr/bin/su.
• The payload is split into 4-byte segments.
• For each segment:
  • sendmsg() is used to pass controlled metadata (AAD), embedding the bytes to be written
  • splice() maps the target binary’s page cache into the operation
• Parameters are carefully aligned so the write lands at a specific offset within the binary’s .text section

3. Trigger Kernel Write Primitive

• A recv() call initiates the decryption routine within the kernel.
• During processing:
  • The kernel incorrectly writes attacker-controlled bytes into memory
  • The write crosses into the page cache of the target binary
• Although integrity checks fail afterward, the modified bytes remain in memory, resulting in a corrupted cached copy of the binary

4. Execute Modified Binary

• Once the payload is fully written, the attacker executes /usr/bin/su
• The kernel loads the binary from the modified page cache, not disk
• Because the binary retains its setuid-root permissions, the injected code executes with UID 0 (root)

5. Outcome

• Successful exploitation results in reliable local privilege escalation
• No on-disk changes are required, reducing forensic visibility
• The technique leverages kernel logic flaws rather than traditional memory corruption, increasing stability and repeatability

Proof-of-Concept Availability

A public proof of concept (PoC) is available for this vulnerability. It should only be used in authorized testing environments to validate exposure and patch effectiveness.

Conditions

• Requires Python 3.10+ for os.splice support. Earlier versions may fail silently and produce false negatives.
• modprobe based mitigation is ineffective on WSL2 and certain RHEL-based distributions where algif_aead is built into the kernel.
• Public PoC currently supports x86_64 architectures only. ARM systems require modified shellcode.

Timeline

TTPs (MITRE ATT&CK Mapping)

TTP mappings are derived from MITRE ATT&CK technique definitions and aligned to observed exploit behavior, including privilege escalation via kernel exploitation and abuse of setuid mechanisms.

• T1078 – Valid Accounts Exploitation requires access to a local user account, which can be obtained through prior compromise, shared environments, or legitimate user access.
• T1068 – Exploitation for Privilege Escalation The vulnerability is leveraged to elevate privileges from a low-privileged user to root by abusing flaws in the kernel crypto subsystem.
• T1548.001 – Abuse Elevation Control Mechanism: Setuid and Setgid The exploit targets a setuid binary such as /usr/bin/su, modifying its in-memory representation so that execution results in root-level access.

Centripetal’s Perspective

Centripetal is actively monitoring the development of CVE-2026-31431. Copy Fail is a significant Linux local privilege escalation vulnerability that abuses legitimate kernel functionality present in widely deployed kernels for years, enabling reliable root-level code execution without modifying files on disk. While it requires prior access to the system, it becomes highly impactful when chained with common intrusion vectors such as phishing, loaders, exposed services, or container escapes. The vulnerability presents elevated risk in environments where attackers can obtain limited local execution and subsequently escalate privileges to achieve full system compromise.

Resources

• COPY.FAIL
• BugCrowd - What we know about Copy Fail (CVE-2026-31431)
• Xint - Copy Fail: 732 Bytes to Root on Every Major Linux Distribution.
• The Hacker News - New Linux 'Copy Fail' Vulnerability Enables Root Access on Major Distributions
• CVE.ORG - CVE-2026-31431
• OvhCloud - Copy.Fail (CVE-2026-31431): How to Rapidly Protect OVHcloud MKS Clusters from the Linux Kernel Zero-Day
• NIST - CVE-2026-31431 Detail
• GitHub - copy_fail_exp.py
• KodemSecurity - CVE-2026-31431 (Copy Fail): Linux Kernel LPE Breakdown and Remediation Runbook
• CloudLinux - CVE-2026-31431 (Copy Fail): Kernel Update on CloudLinux
• Ubuntu - Ubuntu 26.04 (Resolute) not affected
• CISA KEV - Added as a known exploited vulnerability