An exploit for the “Copy Fail” security vulnerability (CVE-2026-31431) in the Linux kernel has been made public. The vulnerability affects all major Linux distributions released since 2017 and grants attackers without administrator privileges full root access. Patches are available in new kernel versions; those who have not yet patched can disable the algif_aead module as a mitigation measure. The vulnerability, disclosed before a fix was ready, has caused frustration within the Linux community.
A public proof-of-concept was released yesterday. The vulnerability, registered as CVE-2026-31431 and discovered by security firm Theori, is present in all major Linux distributions released since 2017.
Theori found the flaw using its AI-driven penetration testing platform, Xint Code, which scanned the kernel’s crypto subsystem in about an hour. The discovery was reported to the Linux kernel security team on March 23; patches followed within a week.
Four bytes that change everything
The root of the problem lies in the Linux kernel’s “authencesn” cryptographic template. By combining the AF_ALG socket interface with the splice() system call, an unprivileged user can write four controlled bytes to the page cache of any readable file, rather than to a normal buffer. If these four bytes land on a setuid-root binary, the attacker can alter its behavior and gain root privileges.
The flaw was introduced in 2017, when the Linux kernel team added an “in-place” optimization to the crypto path in kernel version 4.14. This caused the kernel to start reusing the same buffer instead of keeping input and output strictly separated.
The incident sparked frustration among developers and contributors to the Linux kernel and distributions. One user called it a “disaster” and said it was “extremely irresponsible” to demonstrate the vulnerability as a proof-of-concept before the patches were rolled out.
More Dangerous Than Dirty Pipe
Theori compares Copy Fail to the infamous Dirty Pipe vulnerability from 2022, but calls the new vulnerability more practical and widely applicable. The 732-byte Python exploit works consistently on Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16. Copy Fail is also less susceptible to timing and race conditions than Dirty Pipe, resulting in an estimated 100 percent success rate for the exploit.
With such a high success rate, implementing the temporary fix is essential, as is patching as soon as an update becomes available. Normally, such a vulnerability should have been reported to the linux-distros mailing list on OpenWall. The fact that this did not happen creates a much greater risk of actual exploitation.
Patches and temporary mitigation
CVE-2026-31431 was already patched upstream on April 1 by reverting the problematic crypto optimization. Fixes are available in kernel versions 6.18.22, 6.19.12, and 7.0. Major Linux distributions are rolling out the update via kernel updates, though researchers report that no official advisory for CVE-2026-31431 exists yet. Those who have not yet received the patch can disable the algif_aead module as a temporary measure. Theori recommends patching multi-tenant Linux hosts, Kubernetes clusters, CI runners, and cloud SaaS systems as soon as possible.