Copy Fail Escalates: 732-Byte Exploit Cracks Every Major Linux Distro Since 2017

The Flaw That Slipped Past 9 Years of Security Reviews

CVE-2026-31431, commonly known as Copy Fail, is a vulnerability in the Linux kernel that allows unauthorized privilege escalation, disclosed by security firm Theori to the public on 29 April 2026. But here's where the story gets worse: CVE-2026-31431 is a high-severity local privilege escalation (LPE) vulnerability affecting the Linux kernel's cryptographic subsystem, and Copy Fail is a logic bug in the Linux kernel's authencesn cryptographic template that lets an unprivileged local user trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system. A single 732-byte Python script can edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017.

This isn't a memory corruption bug that requires winning a race condition. Copy Fail is a straight-line logic flaw that triggers without races, retries, or crash-prone timing windows. That's the nightmare scenario for defenders.

Scope: Virtually Every Linux Deployment at Risk

The vulnerability affects virtually all Linux distributions running kernels released from 2017 until patched versions are applied, including but not limited to Ubuntu (for example, 24.04 LTS), Amazon Linux 2023, Red Hat Enterprise Linux (RHEL 10.1), and SUSE 16, as well as other distributions like Debian, Fedora, and Arch Linux.

Every Linux distribution using Linux kernel versions between 4.14 (2017) and 6.19.12 is at risk. That spans a decade of kernel versions across hundreds of millions of production systems worldwide. Cloud infrastructure, Kubernetes clusters, CI/CD runners, container hosts—if it runs Linux and hasn't been patched in the last week, it's vulnerable.

The technical severity is high: The CVSS score is 7.8 (High), reflecting its significant impact.

How The Attack Works: Page Cache Corruption With Surgical Precision

AF_ALG is a socket type that exposes the kernel's crypto subsystem to unprivileged userspace. A user can open a socket, bind to any AEAD (Authenticated Encryption with Associated Data) template, and invoke encryption or decryption on arbitrary data. No privileges required. A core primitive underlying this bug is splice(): it transfers data between file descriptors and pipes without copying, passing page cache pages by reference. When a user splices a file into a pipe and then into an AF_ALG socket, the socket's input scatterlist holds direct references to the kernel's cached pages of that file.

The flaw allows a local user to modify the kernel's cached copy of a file in memory without changing the file on disk. By targeting a privileged binary, an attacker can gain root access. The elegance and danger are inseparable: The write bypasses the ordinary VFS write path.

What makes this uniquely dangerous in cloud and container environments: The page cache is shared across all processes on a system, including across container boundaries. Copy Fail is not just a local privilege escalation. It is a container escape primitive and a Kubernetes node compromise vector.

The Exploit: Reliability Meets Portability

The same exact script works on every tested distribution and architecture, including Ubuntu, Amazon Linux, RHEL, and SUSE. No per-distro offsets. No recompilation. No version checks in the exploit. The entire exploit is a short Python script using only standard library modules (os, socket, zlib). It requires Python 3.10+ for os.splice. No compiled payloads, no dependency installation.

The exploit script is tiny, doesn't rely on additional software being installed, will work on almost all Linux distributions released since 2017, will work each time it's run on a vulnerable system, doesn't change files on disk and won't be flagged by tools that monitor files for tampering, leaves no forensic trace on disk. For attackers, it's a dream. For defenders, it's a nightmare.

Real-World Attack Chain: Where Copy Fail Becomes Lethal

Copy Fail requires local code execution to trigger—it's not remotely exploitable on its own. But that's where the broader threat landscape becomes critical. CVE-2026-31431 exploitation requires local code execution as a regular user, which means that, by itself, it can't be exploited remotely. But chain it with anything that gives you that (web RCE landing in an unprivileged service account, an SSH foothold, a malicious PR on a CI runner) and you're root.

This means:

• A compromised web application running as 'www-data' becomes a root-level breach in minutes
• A CI/CD pipeline executing untrusted code (public repositories, third-party Actions) provides a direct escalation path
• A Kubernetes pod escape flows directly into node compromise and cluster takeover
• An SSH foothold into a bastion host becomes lateral movement across the entire infrastructure

Successful exploitation leads to full root privilege escalation (high impact to confidentiality, integrity, and availability) and could facilitate container breakout, multi-tenant compromise, and lateral movement within shared environments. Its reliability, stealth (in-memory-only modification), and cross-platform applicability make it particularly dangerous in cloud, CI/CD, and Kubernetes environments where untrusted code execution is common.

Patch Status: The Patchwork Problem

A public exploit is available and reported to be reliable, drawing comparisons to previous high-profile Linux kernel privilege escalation flaws. Patched kernel versions are available, though some major distributions have not yet shipped updates.

CISA has added CopyFail to its Known Exploited Vulnerabilities catalog and ordered US federal civilian agencies to address it by May 15, 2026. Patches are available for Debian, Ubuntu, AlmaLinux, SUSE, Fedora and CloudLinux users, while RHEL users are still waiting. This creates a cascading vulnerability exposure: some users can patch immediately, others face weeks of delay waiting for vendor releases.

Given the availability of a fully working exploit proof-of-concept (PoC) and the race to patch systems, Microsoft Defender is seeing preliminary testing activity that might result most likely in increased threat actor exploitation over the next few days, as also confirmed by the recent addition of this vulnerability to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerability (KEV) catalog.

Immediate Mitigation: The Workaround Trap

Blocking the vulnerable kernel module sounds simple: echo \"install algif_aead /bin/false\" > /etc/modprobe.d/disable-algif.conf and rmmod algif_aead. But there's a critical catch. The modprobe-based workaround circulating on oss-security does not work on CloudLinux, AlmaLinux, or any other RHEL-family distribution. The algif_aead module is built into the kernel (CONFIG_CRYPTO_USER_API_AEAD=y), so modprobe.d rules cannot block its loading and rmmod cannot remove it. The commands run without errors but leave the system unchanged—applying them gives a false sense of protection.

For RHEL-based systems, the only reliable temporary mitigation is: grubby --update-kernel=ALL --args=\"initcall_blacklist=algif_aead_init\", which requires a reboot.

This workaround does not affect dm-crypt/LUKS, kTLS, IPsec/XFRM, OpenSSL, GnuTLS, NSS, or SSH. It may affect applications explicitly configured to use the afalg engine or that bind aead/skcipher/hash sockets directly. Exposure can be assessed with lsof | grep AF_ALG.

Detection: The Forensic Blind Spot

Here's where Copy Fail breaks traditional incident response: Because the modification exists only in the page cache, the underlying file on disk remains unchanged. Standard disk forensics would not detect the alteration, and clearing memory through a reboot or resource pressure causes the cache to reload from the original file.

Behavioral detection requires scrutiny: Loading during system boot is relatively common, but on-demand loading (e.g., 300+ seconds after boot) was only observed after the CVE became public. This suggests that delayed AF_ALG loading may be a more suspicious signal. But there's no silver bullet. Memory-only modifications, stealth exploitation, and the fact that the underlying file remains untouched make detection asymmetrically difficult.

What Defenders Must Do Now

Patch or update your distribution's kernel packages or to block AF_ALG socket creation. Prioritization must follow this hierarchy:

• Critical Priority (Patch immediately): Kubernetes nodes, CI/CD runners, public-facing web services, bastion hosts, any system accepting untrusted code execution
• High Priority (Patch within 48 hours): Database servers, internal application hosts, anything with SSH access from networks you don't control
• Medium Priority (Patch within 1 week): Internal-only systems, workstations, systems with minimal lateral movement risk

Since this vulnerability is incredibly prevalent, prioritize remediation efforts on affected hosts running applications that may execute external untrusted code. This includes (but is not limited to) production multi-tenant services and CI runners operating in public repositories.

For systems where patching is blocked by distribution delays, temporary workarounds (grubby-based module blacklisting on RHEL, modprobe on others) provide some protection but are not a substitute for kernel updates.

The Larger Threat: When Logic Beats Crypto

Copy Fail exposes a hard lesson: The Linux kernel has had high-profile privilege escalation bugs before. Dirty Cow (CVE-2016-5195) required winning a race condition in the VM subsystem's copy-on-write path. It often needed multiple attempts and sometimes crashed the system. Dirty Pipe (CVE-2022-0847) was version-specific and required precise pipe buffer manipulation. Copy Fail eliminates all those friction points. It's a 9-year-old optimization that nobody questioned deeply enough until 2026.

This is the real takeaway: the most dangerous vulnerabilities aren't always in cryptography or network protocols. They're in the logic that's been running unexamined for nearly a decade across every production Linux deployment on Earth.