CVE-2026-31431: “Copy Fail” Linux kernel flaw lets local users gain root in seconds

On April 29, 2026, CVE-2026-31431 (CVSS 7.8 HIGH), nicknamed “Copy Fail,” was disclosed in the Linux kernel's algif_aead userspace crypto interface. Researchers at Theori demonstrated that an unprivileged local user can corrupt the page cache backing setuid binaries and gain root access within seconds. There are working exploits for Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16 kernels.

The flaw was introduced in 2017 via commit 72548b093ee3, which switched AEAD operations to in-place processing. A fix was included in the patch series ending with commit fafe0fa2995a in early April, and it reverts that near decade-old optimization. The Sysdig Threat Research Team (TRT) has analyzed the issue, tested a detection rule, and deployed runtime detection coverage.

Affected Versions

• Vulnerable: Linux kernel 4.14 through 7.0-rc, all 6.18.x prior to 6.18.22, and 6.19.x prior to 6.19.12 (regression introduced in 4.14, July 2017)
• Fixed: 7.0, 6.19.12, 6.18.22 
• Vulnerable downstream distribution backports: Older LTS lines, such as 6.12.x, 6.6.x, 5.15.x, 5.10.x
• Proof of concept (PoC): theori-io/copy-fail-CVE-2026-31431
• CISA KEV: Not listed at the time of this publication

Root cause

algif_aead exposes the kernel's AEAD ciphers to userspace through AF_ALG sockets. Following the 2017 in-place optimization, the kernel sets req->src = req->dst and chains tag pages from the source scatterlist into the output scatterlist via sg_chain(). When userspace feeds the socket through splice(), those tag pages reference the page cache of the spliced file.

The authencesn(hmac(sha256),cbc(aes)) algorithm writes four bytes at offset assoclen + cryptlen as scratch space for Extended Sequence Number rearrangement. But because of the flaw, the output scatterlist now extends into the chained page cache pages. That four-byte write ends up inside the spliced file’s cached data in memory, bypassing the file's permissions.

Exploitation

The public PoC is roughly 700 bytes of Python script and chains three primitives:

1.	Bind an AF_ALG socket to authencesn(hmac(sha256),cbc(aes)).
2.	splice() page cache pages of /usr/bin/su into the crypto pipeline.
3.	Issue a recvmsg() whose AAD bytes 4–7 supply the 4-byte value the authencesn scratch write will deposit into the target page.

The HMAC verification fails as expected, but the corruption persists in the page cache. Repeating the primitive at successive offsets stages a small shellcode into the cached pages of /usr/bin/su. Running su afterward executes the patched binary and yields a root shell. The attacker controls the target file, write offset, and four-byte payload.

Unlike Dirty Pipe (CVE-2022-0847), which required precise pipe buffer manipulation and version-specific targeting, Copy Fail operates as a straight-line logic flaw that triggers reliably across distributions without races or crash-prone timing windows.

Impact

Any local unprivileged user on a vulnerable kernel can gain root access. There is no standalone remote vector: An attacker needs code execution on the machine first, either directly or

through a prior compromise such as a web application vulnerability. Once that foothold exists, this exploit escalates any unprivileged user to root. Because the exploit relies only on standard syscalls (socket, setsockopt, splice, sendmsg, recvmsg) and an algorithm available in default kernel configurations, it works on unmodified enterprise distributions without additional kernel modules.

Detection with Sysdig Secure

Sysdig Secure customers automatically have a detection in place, using the rule AF_ALG Page Cache Poisoning Leading to Privilege Escalation. It is part of the Sysdig Runtime Behavioral Analytics managed policy. This rule is very precise due to the advanced Observations detection engine.

Detection with open source Falco

For Falco Feeds customers and open source Falco users, the rule below can be used to detect suspicious activity around AF_ALG socket creation. It may, however, require tuning depending on your environment. This type of socket is used by Kernel TLS (kTLS), which is becoming more common. For Falco Feeds customers, this rule will be automatically available.

- list: known_af_alg_binaries
    items: [cryptsetup, "systemd-cryptse", "systemd-cryptsetup", veritysetup, integritysetup, "cryptsetup-resh", kcapi-enc, kcapi-dgst, kcapi-rng, kcapi-sym]

  - macro: successful_af_alg_socket
    condition: >
      evt.type = socket and
      evt.rawres >= 0 and
      (evt.arg.domain contains AF_ALG or evt.rawarg.domain = 38)

  - macro: successful_af_alg_seqpacket_socket
    condition: >
      successful_af_alg_socket and
      (evt.arg.type = 5 or
       evt.arg.type = 2053 or
       evt.arg.type = 524293 or
       evt.arg.type = 526341)

- rule: Unexpected Process Using Kernel AEAD Crypto Socket
  desc: >
    Detects creation of an AF_ALG SEQPACKET socket — the kernel AEAD crypto API interface exclusively required by AEAD operations (authencesn, ccm, gcm) — from a process outside the known disk-encryption toolchain. This is the mandatory first step of CVE-2026-31431, a Linux kernel LPE that uses AF_ALG + splice() to corrupt a SUID binary in the page cache. The SOCK_SEQPACKET type filters out the majority of legitimate AF_ALG users (hashing, symmetric crypto) which use SOCK_DGRAM.
  condition: >
    successful_af_alg_seqpacket_socket and
    not proc.name in (known_af_alg_binaries)
  output: Unexpected process %proc.name opened AF_ALG AEAD kernel crypto socket with parent %proc.pname under user %user.loginname (socket.domain=%evt.arg.domain socket.type=%evt.arg.type proc.pid=%proc.pid proc.exe=%proc.exe proc.name=%proc.name proc.exepath=%proc.exepath proc.pname=%proc.pname proc.pexepath=%proc.pexepath gparent=%proc.aname[2] gexepath=%proc.aexepath[2] ggparent=%proc.aname[3] container.name=%container.name image=%container.image.repository:%container.image.tag proc.cmdline=%proc.cmdline proc.pcmdline=%proc.pcmdline gcmdline=%proc.acmdline[2] ggcmdline=%proc.acmdline[3] proc.ppid=%proc.ppid user.name=%user)
  priority: CRITICAL
  tags: [host, container, kernel, cve, CVE-2026-31431, MITRE,
          MITRE_TA0004_privilege_escalation,
          MITRE_T1068_exploitation_for_privilege_escalation]

Recommendations

• Update to Linux 7.0, 6.19.12, or 6.18.22 (or the corresponding distribution backport for older LTS lines).
• Restrict AF_ALG socket creation where possible via seccomp profiles, container runtime defaults, or by disabling CONFIG_CRYPTO_USER_API_AEAD on hosts that do not require userspace crypto.
• Deploy the Falco rule above to flag unprivileged AF_ALG socket creation across hosts and containers.
• Audit running workloads for legitimate AF_ALG users so that detection exceptions are scoped to known binaries rather than disabled.
• Monitor for unexpected modifications to setuid binaries and unexpected privilege transitions following kernel crypto syscalls.

Conclusion

Copy Fail is a reliable local privilege escalation that turns an eight-year-old performance optimization into a four-syscall path from unprivileged user to root. With a working public PoC covering every major enterprise distribution, exploitation is trivial wherever patches lag. 

Until kernels are updated, runtime detection of AF_ALG socket abuse is the most practical compensating control, and algif_* exploitation should be treated the same way Dirty Pipe was: Assume any local foothold can become root access within seconds.

‍