Full Report
This is the worst Linux vulnerability in years. TL;DR copy.fail is a Linux kernel local privilege escalation, not a browser or clipboard attack. Disclosed by Theori on 29 April 2026 with a working PoC. It abuses the kernel crypto API (AF_ALG sockets) plus splice() to write four bytes at a time straight into the page cache of a file the attacker does not own. The exploit works unmodified across Ubuntu, RHEL, Debian, SUSE, Amazon Linux, Fedora and most others. No race condition, no per-distro offsets. The file on disk is never modified. AIDE, Tripwire and checksum-based monitoring see nothing. ...
Analysis Summary
# Vulnerability: Copy.Fail Linux Kernel Local Privilege Escalation
## CVE Details
- **CVE ID**: CVE-2026-31431
- **CVSS Score**: Not explicitly stated in text, but categorized as "most severe in years" (Estimated 7.8 - 8.8)
- **CWE**: CWE-284 (Improper Access Control) / CWE-822 (Untrusted Pointer Dereference) - *General classification based on description*
## Affected Systems
- **Products**: Linux Kernel (Multiple major distributions)
- **Versions**: Affects kernels prior to the mainline fix merged on April 1, 2026.
- **Configurations**: Systems using Ubuntu, RHEL, Debian, SUSE, Amazon Linux, Fedora, and WSL2. Impacts multi-tenant environments including Kubernetes clusters and CI/CD runners.
## Vulnerability Description
The "copy.fail" vulnerability is a flaw in the Linux kernel's handling of the **AF_ALG sockets** (Kernel Crypto API) in conjunction with the **splice()** system call.
The flaw allows an attacker to bypass file system permissions and write data four bytes at a time directly into the **page cache** of any file, even those they do not own (including system-critical files like `/etc/passwd` or `/etc/shadow`). Crucially, because the exploit targets the page cache, the underlying file on the physical disk is not modified; the "malicious" data exists only in memory (volatile resident memory).
## Exploitation
- **Status**: Disclosed by Theori on April 29, 2026, with a functional **Proof of Concept (PoC)**.
- **Complexity**: Low (Does not require per-distro offsets or race conditions; works "unmodified" across distributions).
- **Attack Vector**: Local (Requires the ability to execute code as an unprivileged user).
## Impact
- **Confidentiality**: High (Can lead to full root access and the ability to read any system file).
- **Integrity**: High (Allows unauthorized modification of the page cache to alter system behavior).
- **Availability**: High (Root access allows for complete system shutdown or disruption).
## Remediation
### Patches
- **Mainline Linux Kernel**: Fix landed on April 1, 2026.
- **Distributions**: Security updates are currently rolling out for Ubuntu, RHEL, Debian, SUSE, Amazon Linux, and Fedora. Users should update to the latest available kernel version immediately.
### Workarounds
- **Seccomp Filters**: The default `RuntimeDefault` seccomp profile does not block the necessary syscalls. Implement a **custom seccomp profile** to restrict access to `AF_ALG` sockets and/or the `splice()` syscall for untrusted containers.
## Detection
- **Indicators of Compromise**: Difficult to detect as files on disk remain unchanged. Monitoring for suspicious `splice()` activity or unauthorized `AF_ALG` socket creation may be useful.
- **Detection Methods**: Standard integrity checkers like **AIDE, Tripwire, and checksum-based monitoring** are ineffective against this flaw because they verify the disk state rather than the page cache. Detection requires memory forensics or kernel-level auditing tools (e.g., `auditd` or eBPF-based monitoring).
## References
- **Original Disclosure**: hxxps://jorijn[.]com/en/blog/copy-fail-cve-2026-31431-linux-kernel-bug-explained/
- **Theori Research**: hxxps://theori[.]io/ (Attributed discoverer)
- **Technical Analysis**: hxxps://arstechnica[.]com/security/2026/04/as-the-most-severe-linux-threat-in-years-surfaces-the-world-scrambles/
- **Security Blog**: hxxps://www.schneier[.]com/blog/archives/2026/05/copy-fail-linux-vulnerability.html