Full Report
Cybersecurity researchers have disclosed details of a Linux local privilege escalation (LPE) flaw that could allow an unprivileged local user to obtain root. The high-severity vulnerability tracked as CVE-2026-31431 (CVSS score: 7.8) has been codenamed Copy Fail by Xint.io and Theori. "An unprivileged local user can write four controlled bytes into the page cache of any readable file on a Linux
Analysis Summary
# Vulnerability: "Copy Fail" Linux Local Privilege Escalation
## CVE Details
- **CVE ID:** CVE-2026-31431
- **CVSS Score:** 7.8 (High)
- **CWE:** Not specified (Logic flaw in cryptographic subsystem/algif_aead)
## Affected Systems
- **Products:** Linux Kernel
- **Versions:** Nearly all distributions shipped since August 2017 (Kernel version 4.14 onwards, based on the 2017 source code commit).
- **Configurations:** Systems utilizing the `algif_aead` module within the Linux cryptographic subsystem. Major distributions mentioned include:
- Amazon Linux
- Red Hat Enterprise Linux (RHEL)
- SUSE
- Ubuntu
- Debian
## Vulnerability Description
The flaw, codenamed "Copy Fail," is a logic error in the Linux kernel's `algif_aead` module. An in-place optimization introduced in 2017 allows a page-cache page to be included in the kernel's writable destination scatterlist during an AEAD (Authenticated Encryption with Associated Data) operation.
An unprivileged local user can exploit this by opening an `AF_ALG` socket and using `splice()` to drive a small, targeted write (up to four controlled bytes) into the page cache of any readable file. Because the page cache is shared system-wide, this allows an attacker to corrupt the memory-resident version of sensitive binaries (like `/usr/bin/su`) to bypass authentication or inject shellcode, despite the file being read-only on disk.
## Exploitation
- **Status:** PoC described (732-byte Python script); documented as highly reliable and portable.
- **Complexity:** Low (Does not require race conditions or kernel memory offsets).
- **Attack Vector:** Local
## Impact
- **Confidentiality:** High (Full administrative/root access).
- **Integrity:** High (Allows unauthorized modification of files in memory, including setuid binaries).
- **Availability:** High (Potential for system-wide instability or unauthorized control).
- **Note:** This vulnerability is "cross-container," meaning an attacker can move from a container to the host or other containers because they share the same page cache.
## Remediation
### Patches
Linux distributions have released security advisories and kernel updates. Users should update to the latest kernel versions provided by their vendors:
- **Amazon Linux:** [explore.alas.aws[.]amazon.com/CVE-2026-31431.html]
- **Debian:** [security-tracker.debian[.]org/tracker/CVE-2026-31431]
- **Red Hat:** [access.redhat[.]com/security/cve/cve-2026-31431]
- **SUSE:** [suse[.]com/security/cve/CVE-2026-31431.html]
- **Ubuntu:** [ubuntu[.]com/security/CVE-2026-31431]
### Workarounds
Specific workarounds (such as disabling `AF_ALG` or specific socket modules) were not detailed in the article, but typical LPE mitigations involve restricting access to unprivileged users and applying kernel hardening.
## Detection
- **Indicators of compromise:** Unusual execution of `setuid` binaries (e.g., `su`, `sudo`) triggered by unauthorized scripts.
- **Detection methods and tools:** Monitoring for unexpected `AF_ALG` socket activity or unauthorized calls to `splice()` targeting system binaries.
## References
- Xint.io Research: [xint[.]io/blog/copy-fail-linux-distributions]
- Official Website: [copy[.]fail]
- CVE Record: [cve.org/CVERecord?id=CVE-2026-31431]
- Source Commit: [github[.]com/torvalds/linux/commit/72548b093ee3]