CopyFail Linux Kernel AEAD Flaw Enables Local Privilege Escalation
Researchers disclosed CVE-2026-31431, dubbed CopyFail, a high-severity local privilege-escalation flaw in the Linux kernel's crypto subsystem affecting the algif_aead module through the AF_ALG socket interface. The bug was introduced in Linux 4.14 by commit 72548b093ee3, which added in-place AEAD handling in algif_aead.c; because source and destination buffers came from different memory mappings, the change created a path to memory corruption. The oss-sec disclosure said an unprivileged local attacker could exploit the flaw with a working Python proof of concept to gain a controlled page-cache write primitive against readable files.
That primitive could let attackers tamper with read-only files or setuid executables, potentially leading to privilege escalation or code execution. The issue has been fixed by reverting to out-of-place operation while preserving associated-data copying, with patches released in stable kernels 6.18.22, 6.19.12, and 7.0. Public advisories rate the flaw CVSS 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and recommend applying the stable kernel updates, restricting access to AF_ALG, and disabling or unloading the algif_aead module where it is not required.
Timeline
May 5, 2026
AF_ALG is reportedly deprecated and patch submitted to remove zero-copy support
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), Eric Biggers said AF_ALG had been marked deprecated by its maintainer and that he submitted a patch to remove AF_ALG zero-copy support. He argued the zero-copy feature was a key enabler of the vulnerability and that removing it would have prevented this bug class.
May 4, 2026
CISA orders federal agencies to remediate CopyFail by May 15
After adding CVE-2026-31431 ('CopyFail') to the Known Exploited Vulnerabilities catalog, CISA directed U.S. federal civilian agencies to remediate the Linux kernel flaw by 2026-05-15. The order formalized a government response deadline following KEV listing for the actively exploited local privilege-escalation bug.
May 3, 2026
oss-sec warns namespaces are weak isolation for AF_ALG and similar socket families
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), Greg Dahlman argued that Linux namespaces are often overestimated as security boundaries for non-path-backed socket families including AF_ALG, AF_INET, and AF_VSOCK, because access controls may lack meaningful credential checks. The discussion broadened CopyFail mitigation debate into a wider concern about Linux socket-family isolation and the risks of exposing such interfaces to unprivileged users.
May 3, 2026
oss-sec argues kernel crypto user interfaces offer little benefit and should be kernel-only
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), Peter Gutmann said user-space access to kernel crypto acceleration interfaces offers limited practical performance benefit and can add risk, including cases where OpenSSL may be routed through older or unpatched code paths. He suggested migrating the small number of remaining user-space applications off the interface and making it kernel-only to reduce attack surface.
May 3, 2026
oss-sec proposes capability-gating AF_ALG for unprivileged processes
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), Simon McVittie argued AF_ALG access could be blocked in the kernel for unprivileged processes while trusted services retain access via Linux capabilities. He said any LD_PRELOAD-based approach should be treated only as an optional compatibility shim backed by a crypto library, not as a security boundary.
May 3, 2026
oss-sec says removing AF_ALG could break cryptsetup volume compatibility
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), Milan Broz said AF_ALG is still used for legitimate purposes including cryptsetup benchmarking and compatibility with some TrueCrypt/VeraCrypt-related encrypted volume formats. He warned that removing or disabling AF_ALG could therefore break cryptsetup support in some real-world deployments, including distributions relying on that compatibility.
May 2, 2026
oss-sec says Linode/Akamai VPS kernels may block CopyFail boot-arg workaround
An oss-sec post said some provider-supplied monolithic kernels, including those seen on Linode/Akamai VPS instances, appear to have the vulnerable AF_ALG AEAD code built in and may not let customers supply kernel command-line options needed for the initcall_blacklist mitigation. The message added that switching to a distro or self-compiled kernel was theoretically possible but risky because the system might not come back after reboot.
May 2, 2026
oss-sec notes Debian 13 OpenSSL ships with AF_ALG engine enabled
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), Alexander Bochmann said Debian 13 ships OpenSSL 3.5.5 with the AF_ALG engine enabled and demonstrated available AF_ALG-backed AES-CBC ciphers. The note added concrete evidence that some OpenSSL-based userspace cryptography could depend on AF_ALG, refining the compatibility impact of proposed AF_ALG-disabling mitigations.
May 2, 2026
oss-sec says disabling AF_ALG would not break IPsec or WireGuard
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), Eric Biggers said the security problem lies in the AF_ALG userspace interface, not Linux's core in-kernel cryptography support. He added that disabling AF_ALG would not affect kernel features such as IPsec or WireGuard, though it could impact some user-space programs that rely on AF_ALG instead of userspace crypto libraries.
May 2, 2026
oss-sec proposes AF_ALG hardening and algorithm allowlist after CopyFail
In oss-sec discussion following CVE-2026-31431 ('CopyFail'), Eric Biggers argued AF_ALG should be redesigned to use safer internal kernel buffering, restrict supported algorithms with a strict allowlist, and drop complex features such as zero-copy scatterlists, asynchronous execution, and hardware crypto drivers. He said reducing AF_ALG complexity should take priority over performance to prevent similar local privilege-escalation bugs.
May 1, 2026
CISA adds CopyFail to Known Exploited Vulnerabilities catalog
CISA added CVE-2026-31431 ('CopyFail') to its Known Exploited Vulnerabilities catalog, signaling that the Linux local privilege-escalation flaw is considered actively exploited in the wild. The update was referenced in an oss-sec post citing a CISA alert announcing the catalog addition.
May 1, 2026
oss-sec says CopyFail exploit does not work on Linux 6.1 due to removed splice support
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), Eric Biggers said splice support had already been removed from Linux 6.1 LTS, preventing the published exploit from working on that branch even though other versions remained exploitable. He also suggested this as an example of reducing AF_ALG attack surface through incremental hardening.
May 1, 2026
oss-sec shows unprivileged users can autoload vulnerable algif_aead module
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), Justin Swartz demonstrated that an unprivileged user can trigger kernel autoloading of AF_ALG and algif_aead by requesting an AF_ALG socket. The test showed modprobe being invoked for net-pf-38 and algif-aead, undermining assumptions that the flaw is low risk when the vulnerable module is not already loaded.
May 1, 2026
CloudLinux publishes kernel update for CopyFail
CloudLinux published a kernel update advisory for CVE-2026-31431 ('CopyFail'), indicating downstream remediation for affected CloudLinux systems. This adds CloudLinux to the list of Linux vendors shipping fixes for the local privilege-escalation flaw.
May 1, 2026
AlmaLinux ships CopyFail kernel fixes ahead of RHEL and CentOS Stream
AlmaLinux published a security notice for CVE-2026-31431 and released patched kernels through its testing repository before Red Hat issued corresponding RHEL and CentOS Stream updates. The vendor said all supported AlmaLinux releases were affected and provided fixed kernel builds for AlmaLinux 8, 9, 10, and AlmaLinux Kitten 10.
May 1, 2026
Microsoft publishes Defender detection coverage for CopyFail
Microsoft published security guidance for CVE-2026-31431 ('CopyFail'), warning of root privilege escalation, container escape, and cloud multi-tenant risk, and recommending patching or blocking AF_ALG socket creation where patches are unavailable. The company also said Microsoft Defender products, including Defender Antivirus, Defender for Endpoint, Defender for Cloud, and Defender Vulnerability Management, provide detection or exposure coverage for the flaw.
Apr 30, 2026
Researchers warn CopyFail can enable container escape in Kubernetes and CI
In public reporting on CVE-2026-31431 ('CopyFail'), Xint researchers said the flaw is particularly dangerous in Kubernetes and CI environments because a local attacker may be able to escape containers and access sensitive secrets or deployment keys. The article also noted the exploit leaves little forensic evidence because activity occurs in temporary memory and traces may disappear after reboot.
Apr 30, 2026
oss-sec cites public C and Go CopyFail PoC repositories
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), Roman Medina-Heigl Hernandez said one exploit path depended on newer Python versions because Python 3.9 lacks os.splice, but warned attackers could instead upload statically compiled ELF binaries. The message also pointed to public GitHub proof-of-concept repositories named copy-fail-c and copyfail-go, expanding the publicly documented exploit implementations beyond the earlier Python PoC.
Apr 30, 2026
Threatbear publishes eBPF-based CopyFail detection guidance
Threatbear published guidance on detecting exploitation of CVE-2026-31431 ('CopyFail') using eBPF. The reference represents an additional public technical detection resource focused on identifying exploitation activity rather than new vulnerability or patch information.
Apr 30, 2026
Sysdig publishes CopyFail detection guidance and Falco rules
Sysdig Threat Research Team released runtime detection guidance for CVE-2026-31431 ('CopyFail') along with Falco rules to identify suspicious AF_ALG AEAD socket usage associated with exploitation attempts. The guidance focused on detecting local privilege-escalation activity rather than introducing new vulnerability or patch details.
Apr 30, 2026
Major Linux distributions begin shipping CopyFail patches
Following public disclosure of CVE-2026-31431 ('CopyFail'), Debian, Ubuntu, SUSE, and later Red Hat began releasing distribution patches for the local Linux privilege-escalation flaw. The downstream vendor response marked broader remediation beyond the upstream stable kernel releases already available.
Apr 29, 2026
Backports for older LTS CopyFail branches are posted
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), Eric Biggers said backports had been posted for older long-term stable branches that were previously still awaiting fixes, including branches beyond 6.12.y. This marked broader progress toward patching affected LTS kernels such as 6.6, 6.1, 5.15, and 5.10.
Apr 29, 2026
Backports for Linux 6.12.y CopyFail fixes are posted
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), Salvatore Bonaccorso said backports for the Linux 6.12.y branch had just been posted after earlier noting that older-branch fixes did not apply cleanly. This marked the first reported movement toward patching one of the previously unpatched long-term stable branches.
Apr 29, 2026
oss-sec says older LTS CopyFail backports need authencesn-disabling workaround
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), participants said backporting the upstream fix to older long-term kernel branches did not apply cleanly because of API differences. They reported using a workaround patch that disables the authencesn crypto module while remediation for those branches was being addressed.
Apr 29, 2026
oss-sec warns CopyFail mitigation may disrupt user-space software
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), Aaron Rainbolt warned that disabling the AF_ALG/algif_aead interface as a workaround could affect user-space software including bluez, cryptsetup, iwd, stress-ng, rustc tests, Firefox ESR, Thunderbird, and applications using libkcapi. The note added operational impact details to previously discussed temporary mitigations.
Apr 29, 2026
oss-sec proposes initcall_blacklist workaround for CopyFail
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), Zube reported that adding "initcall_blacklist=algif_aead_init" to the kernel command line and rebooting appeared to prevent exploitation in initial testing. The workaround was suggested as an alternative where unloading or blacklisting the algif_aead module is ineffective because AEAD support is built into the kernel.
Apr 29, 2026
oss-sec notes algif_aead unload mitigation fails on some enterprise kernels
In follow-up oss-sec discussion of CVE-2026-31431 ('CopyFail'), Brad Spengler noted that unloading or disabling the algif_aead module is not an effective workaround on some common enterprise kernels because CONFIG_CRYPTO_USER_API_AEAD is built into the kernel rather than shipped as a module. The clarification narrowed the applicability of previously suggested temporary mitigations.
Apr 29, 2026
oss-sec discloses 'CopyFail' exploit details and Python PoC
An oss-sec post publicly disclosed CVE-2026-31431 as 'CopyFail' and explained that an unprivileged local attacker could abuse writable destination scatterlists referencing spliced page-cache pages to gain a controlled page-cache write primitive. The write-up said this could enable tampering with readable files, including read-only or setuid executables, leading to privilege escalation or code execution, and suggested unloading algif_aead as a temporary mitigation.
Apr 23, 2026
SentinelOne updates CVE-2026-31431 entry with mitigation guidance
SentinelOne's vulnerability database updated its CVE-2026-31431 entry, noting the NVD publication and recommending stable kernel patches, AF_ALG access restrictions, and optional disabling of the algif_aead module. The update reflected the vulnerability's fix and mitigation status.
Apr 22, 2026
Public advisories document severity and remediation details
Vulnerability tracking sources published details including a CVSS 7.8 rating, affected component information, and references to stable kernel commits containing the fix. These advisories also recommended applying patches and restricting or disabling algif_aead where possible.
Apr 22, 2026
CVE-2026-31431 is published to NVD
CVE-2026-31431 was publicly published on the National Vulnerability Database as a Linux kernel crypto AEAD vulnerability in algif_aead. The issue was described as a local flaw that could cause memory corruption and related security impact.
Apr 22, 2026
Stable Linux kernels ship fixes reverting algif_aead to out-of-place operation
Kernel maintainers fixed the vulnerability by reverting algif_aead back to out-of-place handling while retaining associated-data copying. The remediation was released in stable versions 6.18.22, 6.19.12, and 7.0.
Apr 11, 2026
Backports land in 6.19.12 and 6.18.22 while several LTS branches remain unpatched
By 2026-04-11, fixes for CVE-2026-31431 had been backported into Linux 6.19.12 and 6.18.22. The oss-sec discussion said long-term stable branches 6.12, 6.6, 6.1, 5.15, and 5.10 had not yet received fixes at that time, indicating older kernels dating back to 2017 could still be affected.
Apr 1, 2026
Linux mainline receives CopyFail fix
The fix for CVE-2026-31431 ('CopyFail') landed in the mainline Linux kernel, marking upstream remediation before broader stable and downstream distribution releases. Tenable's FAQ dates the mainline patch to 2026-04-01.
Mar 26, 2026
Stable kernel commit reverts algif_aead to out-of-place operation
A stable Linux kernel commit changed algif_aead to stop operating in-place and instead use a per-request TX scatter-gather list with RX as output, while copying only associated data as needed. The patch also simplified AF_ALG scatterlist helper handling across AEAD and skcipher paths, forming the basis of the later CVE-2026-31431 remediation.
Mar 23, 2026
Researchers privately report CopyFail to Linux maintainers
According to the reference, CVE-2026-31431 ('CopyFail') was reported to the Linux kernel project on 2026-03-23, before public disclosure. This marks the start of coordinated remediation for the local privilege-escalation flaw affecting AF_ALG AEAD handling.
Mar 23, 2026
Researchers reportedly provide working CopyFail exploit in private report
Public oss-sec discussion said xint provided the Linux kernel security team with a fully working exploit when privately reporting CVE-2026-31431. This indicates maintainers were aware from the outset that the AF_ALG flaw was practically exploitable, not just a theoretical bug.
Nov 12, 2017
Linux 4.14 introduces flawed algif_aead in-place AEAD optimization
A kernel change in commit 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 introduced in-place AEAD handling in algif_aead, creating the logic later identified as CVE-2026-31431. The flaw affected the AF_ALG AEAD path in the Linux kernel crypto API.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
5 more from sources like scworld, toms hardware, cyber security news, security affairs and oss security mailing list
Related Stories
Linux Kernel Privilege Escalation CVE-2026-31431 Draws Patch and PoC Activity
`CVE-2026-31431` is a Linux kernel flaw classified as **CWE-669: Incorrect Resource Transfer Between Spheres** that can enable local privilege escalation to root and, in some cases, bypass isolation boundaries. The Canadian Centre for Cyber Security warned that the impact becomes more severe when the bug is chained with a remote code execution vulnerability, and urged organizations to identify exposed systems, apply vendor fixes, reboot after kernel updates, restrict access, enforce kernel security controls, monitor logs, and segment high-risk or Internet-facing workloads. Vendor and community activity indicates broad exposure across modern Linux platforms. Red Hat lists **RHEL 8**, **RHEL 9**, **RHEL 10**, and corresponding `kernel-rt` packages as affected, while **RHEL 6** and **RHEL 7** are marked not affected because the vulnerable code is absent. Public exploit interest accelerated after Theori published the **"Copy Fail"** technical write-up and proof-of-concept repository, which references testing on **Ubuntu 24.04 LTS**, **Amazon Linux 2023**, **RHEL 10.1**, and **SUSE 16**; Rocky Linux also published related errata, signaling downstream patch availability in enterprise Linux ecosystems.
4 days ago
Linux nftables flaw CVE-2023-31248 enables local root via use-after-free
Researchers detailed exploitation of **CVE-2023-31248** in the Linux kernel's `nftables` subsystem, showing how a chain lookup flaw can let local attackers gain root privileges. The bug exists because `nft_chain_lookup_byid` did not verify whether a chain was still active through `genmask` checks, allowing rules in a batch transaction to reference chains deleted in the same batch. That logic error can trigger a **use-after-free** when rule deletion in the control plane races with asynchronous transaction-worker cleanup, creating a path to reclaim freed memory and corrupt kernel objects. The write-up demonstrates an exploit on **Ubuntu 23.04** with kernel `6.2.0-20-generic`, using heap sprays and information leaks to recover kernel text and heap addresses before forging `nftables` structures and building a ROP chain that invokes `prepare_kernel_cred` and `commit_creds` to obtain a root shell. Researchers said kernels before `6.2.0-26-generic` were vulnerable, while upstream fixes added `genmask` validation to chain-by-ID lookups so inactive chains cannot be referenced. The same research also described a separate dormant-state chain hook deactivation bug that can trigger kernel warnings but was assessed as not practically exploitable and patched by blocking repeated dormant-state toggles within a single batch.
2 weeks ago
Xen Advisory Warns Linux `privcmd` Flaw Can Bypass Kernel Lockdown
Xen disclosed **XSA-482** for **CVE-2026-31788**, a flaw in the Linux kernel's `privcmd` driver that can let an administrator inside an unprivileged Xen guest bypass kernel lockdown protections enforced under secure boot. The bug can be abused to perform actions on the guest kernel that should be blocked in secure mode, including modifying page tables in a way that could allow user mode to alter kernel memory. The issue affects Xen **PV, PVH, and HVM** guests running Linux with secure boot enabled. Xen said BSD-based systems are believed unaffected because they do not support secure boot in this context. The vulnerability was discovered by **Teddy Astie of Vates**, no mitigation is currently known, and remediation requires applying the published Linux patch set; the latest advisory revision notes that the flaw has now been assigned **`CVE-2026-31788`**.
1 months ago