Full Report
An exploit has been published for a local privilege escalation vulnerability dubbed "Copy Fail" that impacts Linux kernels released since 2017, allowing an unprivileged local attacker to gain root permissions. [...]
Analysis Summary
# Vulnerability: Copy Fail (Linux Kernel LPE)
## CVE Details
- **CVE ID:** CVE-2026-31431
- **CVSS Score:** 7.8 (High) - *Note: Based on typical LPE metrics; official NVD score pending.*
- **CWE:** CWE-670 (Always-Incorrect Control Flow Implementation) / Logic Bug
## Affected Systems
- **Products:** Linux Kernel
- **Versions:** All kernels released since 2017 (introduced in v4.14) until fixed versions.
- **Tested Distributions:**
- Ubuntu 24.04 LTS
- Amazon Linux 2023
- RHEL 10.1
- SUSE 16
- **Configurations:** Systems utilizing the `AF_ALG` socket-based interface and the `algif_aead` module.
## Vulnerability Description
The "Copy Fail" vulnerability is a logic bug within the Linux kernel's `authencesn` cryptographic template. It stems from an "in-place" optimization introduced in 2017 that reused buffers for input and output rather than keeping them separate.
By leveraging the `AF_ALG` interface (allowing user-space access to kernel crypto) in combination with the `splice()` system call, an unprivileged user can trigger a 4-byte controlled write into the page cache of any readable file on the system. This allows an attacker to overwrite portions of `setuid-root` binaries in memory, altering their execution flow to grant root privileges without modifying the actual file on disk.
## Exploitation
- **Status:** PoC available; 100% reliable Python-based exploit published.
- **Complexity:** Low (Script is portable and does not require specific kernel offsets).
- **Attack Vector:** Local
## Impact
- **Confidentiality:** High (Full system access)
- **Integrity:** High (Ability to modify memory/behavior of root processes)
- **Availability:** High (Attacker gains total control over the host)
## Remediation
### Patches
The vulnerability was fixed upstream by reverting the "in-place" crypto behavior. Users should update to the following kernel versions or newer:
- Linux Kernel 6.18.22
- Linux Kernel 6.19.12
- Linux Kernel 7.0
### Workarounds
If patching is not immediately possible, disable the vulnerable cryptographic interface to block `AF_ALG` socket creation. This can be done by disabling the `algif_aead` kernel module:
1. Create a configuration file to prevent the module from loading:
`echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf`
2. Unload the module currently in memory:
`rmmod algif_aead`
## Detection
- **Indicators of Compromise:** Monitor for unusual `splice()` system calls targeting system binaries or unexpected usage of `AF_ALG` sockets by unprivileged accounts.
- **Detection Methods:** Audit logs for escalated privileges following the execution of suspicious small-footprint scripts (the PoC is approximately 732 bytes). Use tools like `auditd` to track modifications to the page cache or unauthorized module loading/unloading.
## References
- **Vendor Advisory:** hxxps://www.openwall.com/lists/oss-security/2026/04/29/23
- **Technical Write-up:** hxxps://xint[.]io/blog/copy-fail-linux-distributions
- **Project Site:** hxxps://copy[.]fail/
- **NVD Entry:** hxxps://nvd.nist.gov/vuln/detail/CVE-2026-31431