New Linux 'Copy Fail' Vulnerability Enables Root Access on Major Distributions

Summary

CVE-2026-31431, codenamed "Copy Fail," is a high-severity (CVSS 7.8) local privilege escalation (LPE) vulnerability within the Linux kernel's cryptographic subsystem. It allows an unprivileged local user to gain root access by overwriting the page cache of readable files, such as setuid binaries.

Key Points

• CVE Identifier: CVE-2026-31431 (CVSS score: 7.8).
• Affected Systems: All Linux distributions released since August 2017, including Ubuntu, RHEL, SUSE, and Amazon Linux.
• Exploit Magnitude: A 732-byte Python script is sufficient to execute the exploit.
• Vulnerability Scope: The flaw provides cross-container impact because the page cache is shared across all processes on a system.
• Exploit Characteristics: The vulnerability is portable, does not require a race condition, and does not require a specific kernel offset.
• Mechanism: Allows an unprivileged user to write four controlled bytes into the page cache of any readable file.

Technical Details

The vulnerability is rooted in a logic flaw within the algif_aeyd module of the Linux kernel's cryptographic subsystem, introduced via a source code commit in August 2017. The flaw involves an in-place optimization that allows a page-cache page to be placed in the kernel’s writable destination scatterlist during an Authenticated Encryption with Associated Data (AEAD) operation submitted via an AF_ALG socket. By utilizing the splice() system call to drive data into this socket, an unprivileged process can perform a targeted write into the page cache of a file it does not own.

The exploitation process follows a specific four-step sequence:
1. Open an AF_ALG socket and bind it to authencesn(hmac(sha256),cbc(aes)).
2. Construct a shellcode payload.
3. Trigger a write operation to the kernel's cached copy of a target setuid binary (e.g., /usr/bin/su).
4. Execute execve("/usr/bin/su") to load and run the injected shellcode with root privileges.

Impact / Why It Matters

This vulnerability allows unprivileged users to bypass sandboxing and escalate to full administrative access across nearly all modern Linux environments. Because the page cache is shared, the vulnerability also enables attackers to escape container boundaries and impact the host system.