A vulnerability known as 'Copy Fail' has been discovered in Linux, allowing ordinary users to gain root privileges, affecting numerous distributions released since 2017.

Copy Fail — CVE-2026-31431
https://copy.fail/

Copy Fail: 732 Bytes to Root on Every Major Linux Distribution. - Xint
https://xint.io/blog/copy-fail-linux-distributions
The CVE number for Copy Fail is CVE-2026-31431 , and according to Xint, many major Linux distributions shipped since 2017 may be affected. kernel.org, the CVE management body for the Linux kernel, has rated Copy Fail as 'HIGH' with a CVSS v3.1 base score of 7.8.
The reason Copy Fail is considered dangerous is that it doesn't require fine-tuning or timing competition between kernels to succeed. While some common privilege escalation vulnerabilities require exploiting a momentary discrepancy in processing order, Xint describes Copy Fail as a logical bug that fires according to a fixed sequence of operations, independent of race conditions. In fact, Xint's documentation states that a short proof-of-concept code using only the standard libraries of Python 3.10 and later allowed them to obtain a root shell on Ubuntu, Amazon Linux, RHEL, and SUSE.

On the other hand, one reason why the CVSS rating remained at HIGH is that Copy Fail is not a remote code execution vulnerability that allows direct intrusion into a server over the internet. The attacker needs to execute code as a regular user on the target system, and environments where this is likely to occur include development servers, build servers, CI runners, Kubernetes clusters, and SaaS or sandbox environments where users can bring in their own code, all of which share the same Linux kernel with multiple users.
The cause of the copy failure is said to be a combination of processes: 'AF_ALG' which uses the Linux kernel's encryption function from user space, 'splice()' which passes file contents without copying them, 'page cache' which keeps file contents in memory, and 'authencesn', which is a wrapper for authenticated encryption (
Normally, tampering with a file requires going through the file system's write path. However, in Copy Fail, a controlled 4-byte write occurs to the page cache in memory, rather than to the file on disk. Since the file itself on disk remains unchanged, it is difficult to detect tampering by comparing the file's checksum. On the other hand, operations such as 'read()', 'mmap()', and 'execve()' may use the page cache in memory, and if the contents of the page cache are overwritten, the overwritten content will be used for reading or execution.

A typical example of this attack involves modifying the page cache of a binary like /usr/bin/su, which has the 'setuid root' attribute and is configured to run with root privileges even when executed by a regular user. This allows the attacker to execute arbitrary code with root privileges only at runtime, without changing any files on disk.
The technical cause of the copy failure is said to be the in-place optimization introduced in 2017 to algif_aead.c, which handles AEAD in the Linux kernel. In-place optimization is a method that processes using the same area instead of preparing separate areas for input and output. As a result of this change, in AF_ALG's AEAD processing, the input source and output destination are managed in the same scatterlist. Consequently, a situation arose where the page cache originating from splice() was concatenated to the end of the writable output scatterlist.

The direct trigger was an AEAD wrapper called authencesn. During its internal processing, authencesn uses the caller's output buffer as a working area, but it was arbitrarily using 4 bytes more than its own legitimate memory range. This had not been a problem before, but with in-place optimization, a page cache was added to the end of the output buffer, scatterlist, causing the 4-byte overflow to overwrite the page cache.
Copy Fail is also serious in container environments. Because the page cache is shared across the host, a process within a container can potentially affect the page cache on the host. Xint described Copy Fail not as a simple local privilege escalation, but as 'a primitive component of container escapes and a vector that leads to Kubernetes node compromise.'
The solution to Copy Fail is to 'update to the corrected kernel provided by your distribution.' In the corrected kernel, the handling of AF_ALG AEAD is reverted to an out-of-place form where input and output are handled in separate scatterlists. Xint lists updating to the corrected kernel as the top priority, and recommends disabling the algif_aead module or blocking AF_ALG socket creation by seccomp as temporary workarounds if immediate updating is not possible.
Related Posts:
in Security, Posted by log1d_ts







