Summary

CVE-2026-31431, codenamed "Copy Fail," is a high-severity local privilege escalation vulnerability (CVSS 7.8) affecting the Linux kernel. Discovered by researchers at Xint.io and Theori, the flaw permits an unprivileged local user to write four controlled bytes into the page cache of any readable file, which can be chained to achieve root privileges. Additionally (and unfortunately), as containers share the host kernel, cross-container exploitation and escaping to host become possible. The vulnerability has been present in all Linux kernel releases since 2017, with the exception of the fixed releases listed in the next section. Many public proof-of-concept implementations of this exploit exist in the wild, so patching to a fixed release as soon as possible is imperative.

Affected Systems and/or Applications

• Linux kernel versions released since 2017; first affected version: 4.14. Fixed kernel versions:
• 5.10.254
• 5.15.204
• 6.1.170
• 6.6.137
• 6.12.85
• 6.18.22
• 6.19.12
• 7.0+

Technical Details

The vulnerability originates from an unsafe in-place memory handling implementation within the crypto: algif_aead subsystem. When the kernel was modified to process AEAD operations in-place, it failed to account for differing memory mappings between source and destination buffers. This design flaw exposes a 4-byte arbitrary write primitive targeting the page cache of readable files. Attackers can repeatedly leverage this primitive to corrupt kernel structures or modify privileged binaries 4 bytes at a time (in the page cache, not on disk), bypassing standard security boundaries to escalate to root.

Mitigation

Affected organizations are advised to update their Linux distributions to the latest vendor-supplied kernel packages, which contain the official out-of-place memory handling patches. Consult your distro's documentation to upgrade to a patched kernel version, then reboot the host to load the patched kernel and verify the active version using uname -r.

Additionally: - For environments requiring delayed patching, temporarily blacklist the algif_aead module via /etc/modprobe.d/ to mitigate exploitation risk, noting that this may disrupt applications relying on in-kernel AEAD processing; according to the Xint disclosure site, "Disabling it does not slow anything that wasn't already calling it; for the things that were, performance falls back to a normal userspace crypto library, which is what almost everything else already does." - Apply SELinux or AppArmor policies to limit which processes can access the cryptographic socket interface.

What the Cyber Fusion Center is Doing

The Cyber Fusion Center (CFC) is actively monitoring the situation and will issue advisory updates as needed. Potential avenues for threat hunting are being investigated.

References

• https://copy.fail/
• https://cybernews.com/security/critical-linux-kernel-bug-grants-root-privileges/
• https://thehackernews.com/2026/04/new-linux-copy-fail-vulnerability.html
• https://nvd.nist.gov/vuln/detail/CVE-2026-31431