About Elevation of Privilege - Linux Kernel "Copy Fail" (CVE-2026-31431) vulnerability. A local privilege escalation vulnerability in the Linux kernel AF_ALG component, which is caused by a memory handling flaw, allows an unprivileged user to escalate privileges to root. By exploiting this vulnerability, an attacker can fully compromise the system: read and modify any files, including passwords and keys, replace system binaries, disable security controls and monitoring tools, stealthily install backdoors and maintain persistence, hide traces of their activity, and use the host as a foothold for attacks on other network assets.
⚙️🛠 On April 1, patches addressing the vulnerability were merged into the main branch of the Linux kernel. On April 22, a CVE identifier was assigned to the vulnerability. On April 29, experts from Theori published an analysis of the vulnerability and a public exploit. The vulnerability's exploitability has been confirmed on up-to-date versions of widely used Linux distributions, including Ubuntu, Amazon Linux, RHEL, and SUSE.
👾 On May 1, the vulnerability was added to the CISA KEV catalog, indicating it is being exploited in the wild.
What distinguishes this vulnerability from similar EOP/LPE issues in Linux?
There have been high-profile privilege escalation vulnerabilities in the Linux kernel. Dirty COW required winning a race condition. Multiple attempts were often needed, and this sometimes led to system crashes. Dirty Pipe was tied to specific versions and required precise pipe buffer manipulation.
But unlike Dirty COW and Dirty Pipe, researchers report that Copy Fail is a straight-line logic flaw. It triggers without races, retries, or crash-prone timing windows.
🧬 Portability. The same exploit script works across all tested distributions and architectures, including Ubuntu, Amazon Linux, Red Hat Enterprise Linux (RHEL), and SUSE Linux Enterprise. No per-distribution offsets. No recompilation. No version checks in the exploit.
✧ Minimalism. The entire exploit is a short Python script using only standard library modules (os, socket, zlib). It requires Python 3.10+ for os.splice. No compiled payloads, no dependency installation.
🥷 Stealth. The write bypasses the ordinary VFS write path. The corrupted page is never marked dirty by the kernel's writeback machinery. Standard file integrity tools that compare on-disk checksums will not detect it, because the on-disk file remains unchanged. Only the in-memory page cache is corrupted.
📦 Cross-container impact. The page cache is shared across all processes on the system, including across container boundaries. Copy Fail is not just a local privilege escalation. It is a container escape primitive and a vector for Kubernetes node compromise.
How to fix the vulnerability?
To remediate the vulnerability, users need to update to Linux kernel versions 6.18.22, 6.19.12, and 7.0. The kernel can be built manually, or users can wait for their Linux distribution vendor to release updated kernel packages. As of May 4, updates have been released for Ubuntu, Debian, RHEL, Fedora, SUSE, CloudLinux, Arch Linux, and ROSA Linux.
As a workaround, researchers suggest blocking the creation of AF_ALG sockets:
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf
rmmod algif_aead 2>/dev/null
