Full Report
Patches land for authencesn flaw enabling local privilege escalation
Analysis Summary
# Vulnerability: Copy Fail (Linux Kernel authencesn LPE)
## CVE Details
- **CVE ID:** CVE-2026-31431
- **CVSS Score:** 7.8 (High)
- **CWE:** Logic Flaw / Memory Corruption (Write-what-where primitive)
## Affected Systems
- **Products:** Linux Kernel
- **Versions:** Most distributions released since 2017 (Kernel versioning depends on backports, but the flaw has persisted for ~9 years).
- **Configurations:** Systems utilizing multi-tenant environments, shared-kernel containers (Kubernetes), or CI/CD runners executing untrusted code.
## Vulnerability Description
The vulnerability, dubbed **"Copy Fail,"** resides in the Linux kernel's `authencesn` cryptographic template. It is a logic flaw that allows an unprivileged local user to write four controlled bytes into the page cache of any readable file.
Because the kernel refers to the page cache when loading binaries, an attacker can modify the cached version of a sensitive binary (such as a `setuid` executable) in memory. This modification allows the execution of arbitrary code with elevated privileges without actually modifying the file on disk. Notably, because the disk remains unchanged, the attack bypasses file system integrity monitoring tools like `inotify`.
## Exploitation
- **Status:** PoC available (Publicly released as a 10-line Python script).
- **Complexity:** Low (Does not require winning a race condition).
- **Attack Vector:** Local (Requires local shell access or must be chained with a remote entry point).
## Impact
- **Confidentiality:** High (Total system compromise possible).
- **Integrity:** High (Ability to modify binary execution in memory).
- **Availability:** High (Potential for system instability or lockout).
- **Container Escape:** The flaw acts as a container escape primitive because the page cache is shared across the host kernel.
## Remediation
### Patches
Major Linux distributions have released security updates. Users should update to the following (or later) versions:
- **Debian:** Security patches released; check `security-tracker.debian.org`.
- **Ubuntu:** Patches available via standard update channels.
- **SUSE:** Patches issued for Enterprise and Leap versions.
- **Red Hat:** Initially deferred, but now issuing prompt updates for RHEL.
- **Upstream Kernel:** Fixes land in the `authencesn` cryptographic module.
### Workarounds
- No specific software workarounds (e.g., sysctl toggles) were provided in the article; immediate kernel patching and a system reboot are required to clear the page cache and apply fixes.
## Detection
- **Indicators of Compromise:** Unusual privilege escalations by unprivileged accounts or unauthorized `setuid` executions.
- **Detection Methods:** Traditional file integrity checkers (AIDE, Tripwire) may **not** detect this as the modification occurs in the page cache (RAM), not on the physical disk. Memory forensics or monitoring for suspicious syscall patterns from cryptographic modules may be required.
## References
- **Theori Research:** hxxps[://]theori[.]io/
- **PoC Repository:** hxxps[://]github[.]com/theori-io/copy-fail-CVE-2026-31431
- **Debian Tracker:** hxxps[://]security-tracker[.]debian[.]org/tracker/CVE-2026-31431
- **Ubuntu Advisory:** hxxps[://]ubuntu[.]com/security/CVE-2026-31431
- **Red Hat Advisory:** hxxps[://]access[.]redhat[.]com/security/cve/cve-2026-31431