A critical zero-day vulnerability in the Linux kernel has been publicly disclosed, enabling any unprivileged local user to achieve full root access on virtually every major Linux distribution shipped since 2017.
Tracked as CVE-2026-31431 and dubbed “Copy Fail,” the flaw represents one of the most impactful local privilege escalation vulnerabilities in recent Linux history, requiring no race-winning, no kernel offsets, and no compiled payloads to exploit.
Copy Fail is a deterministic logic bug, not a race condition, residing in the Linux kernel’s authencesn cryptographic template.
“Copy Fail” Linux Kernel 0-Day
It is reachable through the AF_ALG socket interface combined with the splice() system call, a combination that has existed in the kernel since a 2017 optimization introduced to algif_aead.c (commit 72548b093ee3).
Unlike predecessors such as Dirty Cow (CVE-2016-5195) or Dirty Pipe (CVE-2022-0847), exploiting Copy Fail requires no timing tricks or architecture-specific tuning.
A single 732-byte Python script that uses only standard library modules achieves deterministic root access across all tested distributions and CPU architectures.
The vulnerability was originally discovered by Theori researcher Taeyang Lee and subsequently scaled into a full exploit chain by the Xint Code Research Team, who leveraged AI-assisted analysis to map the complete exploitation path.
The flaw originates from three independent, seemingly reasonable code changes made in 2011, 2015, and 2017, none of which were individually problematic, but whose intersection went unnoticed for nearly a decade.
When a user splices a file into a pipe and feeds it into a AF_ALG socket, the AEAD input scatterlist holds direct references to kernel page cache pages of that file rather than copies.
In algif_aead.c, the decryption path sets req->src = req->dst, causing both source and destination to point to the same combined scatterlist. This places live page cache pages into a writable destination scatterlist.
The authencesn algorithm used by IPsec for 64-bit Extended Sequence Number (ESN) support then uses the caller’s destination buffer as scratch space to rearrange ESN bytes. This writes 4 bytes past the declared output boundary, directly into chained page cache pages belonging to any file readable by the attacker.
Critically, the Linux kernel never marks the corrupted page as dirty for writeback, so the on-disk file remains completely untouched.
Standard checksum-based file integrity tools such as aide or tripwire will not detect the modification. The attacker then executes the corrupted in-memory version of a setuid binary, such as /usr/bin/su to obtain a root shell.
Affected Distributions
The vulnerability was introduced with kernel 4.14 and affects all downstream distributions through the unfixed codebase. Confirmed affected platforms include:
| Distribution | Kernel Version |
|---|---|
| Ubuntu 24.04 LTS | 6.17.0-1007-aws |
| Amazon Linux 2023 | 6.18.8-9.213.amzn2023 |
| RHEL 10.3 | 6.12.0-124.45.1.el10_1 |
| SUSE Linux 16 | 6.12.0-160000.9-default |
Beyond local privilege escalation, Copy Fail doubles as a Kubernetes container escape primitive. Since the page cache is shared across all processes on a host, including across container boundaries, a compromised container can corrupt setuid binaries visible to other containers and the host kernel itself. Xint Code’s upcoming Part 2 research covers full Kubernetes node compromise using this technique.
Patch and Mitigations
The official fix (commit a664bf3d603d) reverts algif_aead.c to out-of-place AEAD operations, permanently separating the TX and RX scatterlists to prevent page cache pages from entering any writable destination path.
- Apply the upstream kernel patch through your distribution’s official update channel.
- Turn off the algif_aead kernel module to eliminate the attack surface:
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf
rmmod algif_aead 2>/dev/nullThe vulnerability was reported to the Linux kernel security team on March 23, 2026 → patch committed to mainline on April 1, 2026 → CVE assigned April 22, 2026 → public disclosure April 29, 2026.
System administrators are urged to apply kernel updates immediately, prioritizing any internet-facing or multi-tenant Linux hosts.
No Comment! Be the first one.