⚠️ Active Threat — Publicly Disclosed April 29, 2026. Working exploit code is public. Every unpatched Linux system running kernel 4.14 through 6.17 is affected. Check your kernel version now. See mitigation steps below.
What Is “Copy Fail”?
CVE-2026-31431, dubbed “Copy Fail” by the researchers who found it, is a local privilege escalation vulnerability in the Linux kernel’s cryptographic subsystem. CVSS score: 7.8. The practical impact: any local user — no special permissions required — can get a root shell on an unpatched system. Reliable, deterministic, no kernel offsets needed, no brute force, no KASLR bypass.
The bug was discovered by researchers at Theori using their Xint AI vulnerability research platform. They reported it to the Linux kernel security team on March 23, 2026. A patch landed upstream within a week. Public disclosure came April 29 — the day working exploit code and the full technical writeup dropped simultaneously.
Before that, every major distribution shipped the bug for nine years.
The Vulnerable Code Path
The bug lives in crypto/authencesn.c — the kernel’s implementation of the authencesn authenticated encryption template. This is a somewhat obscure corner of the crypto subsystem that handles combined authentication + encryption operations with extended sequence numbers. It’s not the kind of code most people think about when they think “Linux kernel attack surface.”
It got there in 2017, with kernel 4.14, as part of an optimization that allowed certain cryptographic operations to work on data “in-place” — modifying the original buffer rather than copying it. Reasonable optimization. Logic bug hiding inside it.
The Primitive: A 4-Byte Write Into Page Cache
Here’s what the bug actually does, explained without the assembly:
- A user opens an AF_ALG socket — Linux’s kernel-level crypto interface, available to any unprivileged user.
- They configure it to use the
authencesntemplate. - They use the
splice()system call to pipe file contents directly into the AF_ALG socket’s kernel buffer without copying to userspace first. - Due to the 2017 “in-place” optimization, the kernel’s crypto code writes back modified data into the page cache entry for the source file — the same memory-backed page the kernel uses as the “master copy” of that file’s contents on disk.
- Net result: four bytes of attacker-controlled data written into the kernel’s cached view of any file the attacker can read.
That’s the primitive. A deterministic, reliable 4-byte write into the page cache of any readable file. No race condition, no spray-and-pray, no SMAP/SMEP bypass required.
From 4-Byte Write to Root
The attack chain from “4-byte write into a readable file” to root is straightforward if the target file is a setuid-root binary.
/usr/bin/sudo, /usr/bin/su, /usr/bin/passwd, /usr/bin/newgrp — any setuid binary you can read (most of them) is fair game. The exploit:
- Identifies the target setuid binary and maps where a useful instruction lives in the file.
- Uses the Copy Fail primitive to overwrite those 4 bytes in the page cache.
- Executes the binary.
- The kernel loads the binary from the (now-corrupted) page cache.
- Shellcode runs as root.
The exploit code published by Theori is 732 bytes of Python. It runs in seconds. It has no offsets specific to any distribution or kernel build. It works because the page cache corruption is layout-agnostic — the exploit targets instruction bytes that are stable across builds, not kernel struct offsets that vary.
Theori’s researchers described it as “more portable than Dirty Pipe.” That’s not marketing. Dirty Pipe (CVE-2022-0847) required knowing pipe buffer internals. Copy Fail requires nothing — just the AF_ALG socket interface and a setuid binary. One script, every distro, nine years of exposure.
Confirmed Affected Systems
Theori confirmed the exploit works on:
- Ubuntu 24.04 LTS (kernel 6.8)
- Amazon Linux 2023 (kernel 6.1)
- RHEL 10.1 (kernel 6.12)
- SUSE Linux Enterprise 16 (kernel 6.12)
Any Linux system running kernel 4.14 through 6.17 is affected. If you’re not sure what you’re running:
uname -r
The bug was introduced in kernel 4.14 and patched in:
- 6.18.22
- 6.19.12
- 7.0
The upstream patch landed April 1, 2026. Distribution packages are rolling out now, but patch propagation across enterprise and cloud environments takes time — and that window is what makes this dangerous in practice.
Who Should Care Right Now
This is a local privilege escalation, not a remote code execution. The attacker needs a shell on the box first. That constraint matters — but in 2026, getting a local shell on a Linux host is not the hard part for most threat actors. The question is what they do next.
Priority threat environments:
Multi-tenant Linux hosts — Any environment where multiple users share the same kernel is a kill chain waiting to happen. A low-privilege tenant compromise → Copy Fail → root → full host. Game over.
Kubernetes and container clusters — Container escapes are already a known risk, but Copy Fail short-circuits the usual complexity. If an attacker lands in a privileged container or escapes to the node, Copy Fail hands them root on the underlying host without any KASLR bypass or kernel heap spray.
CI/CD runners — GitHub Actions runners, GitLab runners, Jenkins agents running on shared Linux infrastructure. Malicious code in a build step (supply chain compromise, malicious PR, compromised dependency — we’ve seen all of these recently) runs as a restricted user on a shared runner. Copy Fail escalates that to root, which escalates to “everything the runner can touch.”
Cloud SaaS running user code — Any product that executes user-submitted code on Linux — notebooks, sandboxed compute, serverless platforms — is a potential host for this exploit if that code runs in a shared kernel context.
The Dirty Pipe Comparison
Dirty Pipe (CVE-2022-0847) was the last kernel LPE to generate this level of attention. It’s worth being precise about how Copy Fail differs:
| Dirty Pipe (CVE-2022-0847) | Copy Fail (CVE-2026-31431) | |
|---|---|---|
| Introduced | 2020 (kernel 5.8) | 2017 (kernel 4.14) |
| Mechanism | Pipe buffer flag bypass → page cache write | AF_ALG splice() → page cache write |
| Exploit size | ~400 LOC C | 732-byte Python |
| Kernel offsets required | No | No |
| Works on RHEL/Amazon Linux | No (5.8+ only) | Yes |
| Exposure window | ~2 years | ~9 years |
| Reliability | High | Deterministic |
Copy Fail covers a larger surface. It hits every major enterprise distribution, including those running 4.x and 5.x-era kernels. Dirty Pipe missed RHEL entirely because RHEL stayed on 4.x kernels longer than upstream. Copy Fail doesn’t miss anything in the 4.14+ range.
Mitigation
The permanent fix is patching. Kernel versions 6.18.22, 6.19.12, and 7.0 contain the upstream fix. Check your distribution’s security tracker for a backported patch if you’re on an LTS kernel.
While you wait for the patch:
Disable the algif_aead kernel module. This is the userspace interface that enables AF_ALG access to the authencesn template. Blocking it eliminates the attack vector entirely without breaking standard crypto operations.
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf && rmmod algif_aead
The first command creates a persistent rule preventing the module from loading on reboot. The second unloads it immediately if it’s currently loaded. If rmmod fails with “module not in use,” the module wasn’t loaded — you’re fine, but keep the rule in place.
This does not break TLS, disk encryption, or any standard cryptographic operation. The algif_aead module is the kernel’s userspace-accessible AEAD interface — it’s not used by the kernel’s own crypto stack for normal operations. Disabling it affects software that explicitly uses AF_ALG sockets for AEAD operations, which is rare in practice.
Verify the module is gone:
lsmod | grep algif_aead
No output = module not loaded = attack surface removed.
Detection
If you’re looking for exploitation attempts in your environment, watch for:
- Processes calling
socket(AF_ALG, ...)followed bysplice()on setuid binaries - Unexpected setuid binary execution from unusual parent processes
/etc/modprobe.d/modifications (an attacker re-enabling the module post-mitigation)auditdevents:syscall=socketwitha0=0x26(AF_ALG = 38 = 0x26), followed bysyscall=splice
If you’re running auditd, add:
auditctl -a always,exit -F arch=b64 -S socket -F a0=38 -k af_alg_use
This flags any process opening an AF_ALG socket. Baseline what’s normal in your environment — some legitimate crypto tooling uses AF_ALG — then alert on deviations.
OPSEC Note for Red Teamers
If you’re running engagements against targets that may be using shared cloud infrastructure, VPN your egress before you touch anything. Cloud providers log source IPs on exploit traffic, and a Copy Fail attempt from a residential or cloud IP that traces back to you is a bad day. NordVPN is what we use for egress isolation on cloud engagements — reliable, no-log, and doesn’t get flagged by cloud provider GeoIP blocks the way some alternatives do.
Timeline
| Date | Event |
|---|---|
| 2017 | Kernel 4.14 introduces “in-place” optimization in crypto/authencesn.c — bug introduced |
| 2026-03-23 | Theori reports CVE-2026-31431 to Linux kernel security team |
| ~2026-03-30 | Upstream patch merged (within one week of report) |
| 2026-04-01 | Fix available in kernel 6.18.22, 6.19.12, and 7.0 |
| 2026-04-29 | Theori publishes full writeup + PoC exploit. Public disclosure. |
| 2026-04-30 | Distribution patches rolling out. Exploit publicly available. |
Current Status
As of April 30, 2026:
- Exploit is public. A working 732-byte Python PoC is available. Assume anyone with a local foothold on an unpatched system can escalate.
- Patches are in upstream kernels (6.18.22, 6.19.12, 7.0). Distribution packages are in progress.
- Ubuntu, RHEL, Amazon Linux, SUSE all confirmed affected. Expect advisories from all major distributions.
- No reports of in-the-wild exploitation as of disclosure, but the exploit is trivial to run — that window will be short.
- Theori’s Xint AI platform was used to discover the vulnerability — AI-assisted kernel vulnerability research is producing real results.
Patch first. Disable algif_aead if patching is delayed. Don’t wait for your distribution advisory if you’re in a high-risk environment — the kernel fix is upstream now.
Sources: Theori — CVE-2026-31431 Full Writeup · Linux Kernel Security Advisory · NVD — CVE-2026-31431
Need content like this for your security blog or internal newsletter? CipherWrite delivers practitioner-grade security writing on deadline — blog posts, whitepapers, LinkedIn content. See the gig.