CopyFail Linux Kernel AEAD Flaw Enables Local Privilege Escalation
Researchers disclosed CVE-2026-31431, dubbed CopyFail, a high-severity local privilege-escalation flaw in the Linux kernel's crypto subsystem affecting the algif_aead module through the AF_ALG socket interface. The bug was introduced in Linux 4.14 by commit 72548b093ee3, which added in-place AEAD handling in algif_aead.c; because source and destination buffers came from different memory mappings, the change created a path to memory corruption. The oss-sec disclosure said an unprivileged local attacker could exploit the flaw with a working Python proof of concept to gain a controlled page-cache write primitive against readable files.
That primitive could let attackers tamper with read-only files or setuid executables, potentially leading to privilege escalation or code execution. The issue has been fixed by reverting to out-of-place operation while preserving associated-data copying, with patches released in stable kernels 6.18.22, 6.19.12, and 7.0. Public advisories rate the flaw CVSS 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and recommend applying the stable kernel updates, restricting access to AF_ALG, and disabling or unloading the algif_aead module where it is not required.
How this story unfolded
45 events from the earliest known activity through the most recent confirmed update.
Linux 4.14 introduces flawed algif_aead in-place AEAD optimization
A kernel change in commit 72548b093ee38a6d4f2a19e6ef1948ae05c181f7 introduced in-place AEAD handling in algif_aead, creating the logic later identified as CVE-2026-31431. The flaw affected the AF_ALG AEAD path in the Linux kernel crypto API.
Researchers reportedly provide working CopyFail exploit in private report
Public oss-sec discussion said xint provided the Linux kernel security team with a fully working exploit when privately reporting CVE-2026-31431. This indicates maintainers were aware from the outset that the AF_ALG flaw was practically exploitable, not just a theoretical bug.
Researchers privately report CopyFail to Linux maintainers
According to the reference, CVE-2026-31431 ('CopyFail') was reported to the Linux kernel project on 2026-03-23, before public disclosure. This marks the start of coordinated remediation for the local privilege-escalation flaw affecting AF_ALG AEAD handling.
Stable kernel commit reverts algif_aead to out-of-place operation
A stable Linux kernel commit changed algif_aead to stop operating in-place and instead use a per-request TX scatter-gather list with RX as output, while copying only associated data as needed. The patch also simplified AF_ALG scatterlist helper handling across AEAD and skcipher paths, forming the basis of the later CVE-2026-31431 remediation.
Linux mainline receives CopyFail fix
The fix for CVE-2026-31431 ('CopyFail') landed in the mainline Linux kernel, marking upstream remediation before broader stable and downstream distribution releases. Tenable's FAQ dates the mainline patch to 2026-04-01.
Backports land in 6.19.12 and 6.18.22 while several LTS branches remain unpatched
By 2026-04-11, fixes for CVE-2026-31431 had been backported into Linux 6.19.12 and 6.18.22. The oss-sec discussion said long-term stable branches 6.12, 6.6, 6.1, 5.15, and 5.10 had not yet received fixes at that time, indicating older kernels dating back to 2017 could still be affected.
Stable Linux kernels ship fixes reverting algif_aead to out-of-place operation
Kernel maintainers fixed the vulnerability by reverting algif_aead back to out-of-place handling while retaining associated-data copying. The remediation was released in stable versions 6.18.22, 6.19.12, and 7.0.
CVE-2026-31431 is published to NVD
CVE-2026-31431 was publicly published on the National Vulnerability Database as a Linux kernel crypto AEAD vulnerability in algif_aead. The issue was described as a local flaw that could cause memory corruption and related security impact.
Public advisories document severity and remediation details
Vulnerability tracking sources published details including a CVSS 7.8 rating, affected component information, and references to stable kernel commits containing the fix. These advisories also recommended applying patches and restricting or disabling algif_aead where possible.
SentinelOne updates CVE-2026-31431 entry with mitigation guidance
SentinelOne's vulnerability database updated its CVE-2026-31431 entry, noting the NVD publication and recommending stable kernel patches, AF_ALG access restrictions, and optional disabling of the algif_aead module. The update reflected the vulnerability's fix and mitigation status.
oss-sec discloses 'CopyFail' exploit details and Python PoC
An oss-sec post publicly disclosed CVE-2026-31431 as 'CopyFail' and explained that an unprivileged local attacker could abuse writable destination scatterlists referencing spliced page-cache pages to gain a controlled page-cache write primitive. The write-up said this could enable tampering with readable files, including read-only or setuid executables, leading to privilege escalation or code execution, and suggested unloading algif_aead as a temporary mitigation.
oss-sec notes algif_aead unload mitigation fails on some enterprise kernels
In follow-up oss-sec discussion of CVE-2026-31431 ('CopyFail'), Brad Spengler noted that unloading or disabling the algif_aead module is not an effective workaround on some common enterprise kernels because CONFIG_CRYPTO_USER_API_AEAD is built into the kernel rather than shipped as a module. The clarification narrowed the applicability of previously suggested temporary mitigations.
oss-sec proposes initcall_blacklist workaround for CopyFail
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), Zube reported that adding "initcall_blacklist=algif_aead_init" to the kernel command line and rebooting appeared to prevent exploitation in initial testing. The workaround was suggested as an alternative where unloading or blacklisting the algif_aead module is ineffective because AEAD support is built into the kernel.
oss-sec warns CopyFail mitigation may disrupt user-space software
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), Aaron Rainbolt warned that disabling the AF_ALG/algif_aead interface as a workaround could affect user-space software including bluez, cryptsetup, iwd, stress-ng, rustc tests, Firefox ESR, Thunderbird, and applications using libkcapi. The note added operational impact details to previously discussed temporary mitigations.
oss-sec says older LTS CopyFail backports need authencesn-disabling workaround
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), participants said backporting the upstream fix to older long-term kernel branches did not apply cleanly because of API differences. They reported using a workaround patch that disables the authencesn crypto module while remediation for those branches was being addressed.
Backports for Linux 6.12.y CopyFail fixes are posted
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), Salvatore Bonaccorso said backports for the Linux 6.12.y branch had just been posted after earlier noting that older-branch fixes did not apply cleanly. This marked the first reported movement toward patching one of the previously unpatched long-term stable branches.
Backports for older LTS CopyFail branches are posted
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), Eric Biggers said backports had been posted for older long-term stable branches that were previously still awaiting fixes, including branches beyond 6.12.y. This marked broader progress toward patching affected LTS kernels such as 6.6, 6.1, 5.15, and 5.10.
Major Linux distributions begin shipping CopyFail patches
Following public disclosure of CVE-2026-31431 ('CopyFail'), Debian, Ubuntu, SUSE, and later Red Hat began releasing distribution patches for the local Linux privilege-escalation flaw. The downstream vendor response marked broader remediation beyond the upstream stable kernel releases already available.
Sysdig publishes CopyFail detection guidance and Falco rules
Sysdig Threat Research Team released runtime detection guidance for CVE-2026-31431 ('CopyFail') along with Falco rules to identify suspicious AF_ALG AEAD socket usage associated with exploitation attempts. The guidance focused on detecting local privilege-escalation activity rather than introducing new vulnerability or patch details.
Threatbear publishes eBPF-based CopyFail detection guidance
Threatbear published guidance on detecting exploitation of CVE-2026-31431 ('CopyFail') using eBPF. The reference represents an additional public technical detection resource focused on identifying exploitation activity rather than new vulnerability or patch information.
oss-sec cites public C and Go CopyFail PoC repositories
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), Roman Medina-Heigl Hernandez said one exploit path depended on newer Python versions because Python 3.9 lacks os.splice, but warned attackers could instead upload statically compiled ELF binaries. The message also pointed to public GitHub proof-of-concept repositories named copy-fail-c and copyfail-go, expanding the publicly documented exploit implementations beyond the earlier Python PoC.
Researchers warn CopyFail can enable container escape in Kubernetes and CI
In public reporting on CVE-2026-31431 ('CopyFail'), Xint researchers said the flaw is particularly dangerous in Kubernetes and CI environments because a local attacker may be able to escape containers and access sensitive secrets or deployment keys. The article also noted the exploit leaves little forensic evidence because activity occurs in temporary memory and traces may disappear after reboot.
Microsoft publishes Defender detection coverage for CopyFail
Microsoft published security guidance for CVE-2026-31431 ('CopyFail'), warning of root privilege escalation, container escape, and cloud multi-tenant risk, and recommending patching or blocking AF_ALG socket creation where patches are unavailable. The company also said Microsoft Defender products, including Defender Antivirus, Defender for Endpoint, Defender for Cloud, and Defender Vulnerability Management, provide detection or exposure coverage for the flaw.
AlmaLinux ships CopyFail kernel fixes ahead of RHEL and CentOS Stream
AlmaLinux published a security notice for CVE-2026-31431 and released patched kernels through its testing repository before Red Hat issued corresponding RHEL and CentOS Stream updates. The vendor said all supported AlmaLinux releases were affected and provided fixed kernel builds for AlmaLinux 8, 9, 10, and AlmaLinux Kitten 10.
CloudLinux publishes kernel update for CopyFail
CloudLinux published a kernel update advisory for CVE-2026-31431 ('CopyFail'), indicating downstream remediation for affected CloudLinux systems. This adds CloudLinux to the list of Linux vendors shipping fixes for the local privilege-escalation flaw.
oss-sec shows unprivileged users can autoload vulnerable algif_aead module
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), Justin Swartz demonstrated that an unprivileged user can trigger kernel autoloading of AF_ALG and algif_aead by requesting an AF_ALG socket. The test showed modprobe being invoked for net-pf-38 and algif-aead, undermining assumptions that the flaw is low risk when the vulnerable module is not already loaded.
oss-sec says CopyFail exploit does not work on Linux 6.1 due to removed splice support
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), Eric Biggers said splice support had already been removed from Linux 6.1 LTS, preventing the published exploit from working on that branch even though other versions remained exploitable. He also suggested this as an example of reducing AF_ALG attack surface through incremental hardening.
CISA adds CopyFail to Known Exploited Vulnerabilities catalog
CISA added CVE-2026-31431 ('CopyFail') to its Known Exploited Vulnerabilities catalog, signaling that the Linux local privilege-escalation flaw is considered actively exploited in the wild. The update was referenced in an oss-sec post citing a CISA alert announcing the catalog addition.
oss-sec proposes AF_ALG hardening and algorithm allowlist after CopyFail
In oss-sec discussion following CVE-2026-31431 ('CopyFail'), Eric Biggers argued AF_ALG should be redesigned to use safer internal kernel buffering, restrict supported algorithms with a strict allowlist, and drop complex features such as zero-copy scatterlists, asynchronous execution, and hardware crypto drivers. He said reducing AF_ALG complexity should take priority over performance to prevent similar local privilege-escalation bugs.
oss-sec says disabling AF_ALG would not break IPsec or WireGuard
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), Eric Biggers said the security problem lies in the AF_ALG userspace interface, not Linux's core in-kernel cryptography support. He added that disabling AF_ALG would not affect kernel features such as IPsec or WireGuard, though it could impact some user-space programs that rely on AF_ALG instead of userspace crypto libraries.
oss-sec notes Debian 13 OpenSSL ships with AF_ALG engine enabled
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), Alexander Bochmann said Debian 13 ships OpenSSL 3.5.5 with the AF_ALG engine enabled and demonstrated available AF_ALG-backed AES-CBC ciphers. The note added concrete evidence that some OpenSSL-based userspace cryptography could depend on AF_ALG, refining the compatibility impact of proposed AF_ALG-disabling mitigations.
oss-sec says Linode/Akamai VPS kernels may block CopyFail boot-arg workaround
An oss-sec post said some provider-supplied monolithic kernels, including those seen on Linode/Akamai VPS instances, appear to have the vulnerable AF_ALG AEAD code built in and may not let customers supply kernel command-line options needed for the initcall_blacklist mitigation. The message added that switching to a distro or self-compiled kernel was theoretically possible but risky because the system might not come back after reboot.
oss-sec says removing AF_ALG could break cryptsetup volume compatibility
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), Milan Broz said AF_ALG is still used for legitimate purposes including cryptsetup benchmarking and compatibility with some TrueCrypt/VeraCrypt-related encrypted volume formats. He warned that removing or disabling AF_ALG could therefore break cryptsetup support in some real-world deployments, including distributions relying on that compatibility.
oss-sec proposes capability-gating AF_ALG for unprivileged processes
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), Simon McVittie argued AF_ALG access could be blocked in the kernel for unprivileged processes while trusted services retain access via Linux capabilities. He said any LD_PRELOAD-based approach should be treated only as an optional compatibility shim backed by a crypto library, not as a security boundary.
oss-sec argues kernel crypto user interfaces offer little benefit and should be kernel-only
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), Peter Gutmann said user-space access to kernel crypto acceleration interfaces offers limited practical performance benefit and can add risk, including cases where OpenSSL may be routed through older or unpatched code paths. He suggested migrating the small number of remaining user-space applications off the interface and making it kernel-only to reduce attack surface.
oss-sec warns namespaces are weak isolation for AF_ALG and similar socket families
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), Greg Dahlman argued that Linux namespaces are often overestimated as security boundaries for non-path-backed socket families including AF_ALG, AF_INET, and AF_VSOCK, because access controls may lack meaningful credential checks. The discussion broadened CopyFail mitigation debate into a wider concern about Linux socket-family isolation and the risks of exposing such interfaces to unprivileged users.
CISA orders federal agencies to remediate CopyFail by May 15
After adding CVE-2026-31431 ('CopyFail') to the Known Exploited Vulnerabilities catalog, CISA directed U.S. federal civilian agencies to remediate the Linux kernel flaw by 2026-05-15. The order formalized a government response deadline following KEV listing for the actively exploited local privilege-escalation bug.
Red Hat releases first RHEL 9 fix for CopyFail
Red Hat’s advisory for CVE-2026-31431 said its first product fix was issued for RHEL 9 on 2026-05-04. The vendor rated the Linux kernel local privilege-escalation flaw Important and provided mitigation guidance alongside the product update.
AF_ALG is reportedly deprecated and patch submitted to remove zero-copy support
In oss-sec discussion of CVE-2026-31431 ('CopyFail'), Eric Biggers said AF_ALG had been marked deprecated by its maintainer and that he submitted a patch to remove AF_ALG zero-copy support. He argued the zero-copy feature was a key enabler of the vulnerability and that removing it would have prevented this bug class.
oss-sec debate erupts over Linux kernel disclosure process after CopyFail
An oss-sec discussion criticized how the Linux kernel project handled disclosure of CVE-2026-31431 ('CopyFail'), with Emily Shepherd arguing the process is opaque and discourages coordination, while Greg Kroah-Hartman defended the maintainer-centric model. The exchange also clarified that the kernel security team focuses on getting bugs fixed and that CVE assignment is handled by a separate volunteer kernel CVE team.
GitHub repo publishes mass-deployment CopyFail module-disabling workaround
A GitHub repository by thinrope published a shell script, cf+df_patching.sh, to mitigate CopyFail by renaming or disabling vulnerable kernel modules on running Linux systems, with support for deploying the workaround across multiple hosts via SSH and GNU parallel. The README emphasized limitations including no effect on built-in kernel options, no kernel-version validation, and applicability only to the currently running kernel.
Metasploit pull request proposes CopyFail local privilege-escalation module
A Rapid7 Metasploit Framework pull request was created for a Linux local privilege-escalation exploit targeting CVE-2026-31431 ('CopyFail'). The GitHub activity shows the submission being added to the Metasploit Kanban and moved into the Todo column, indicating work toward framework integration of a public exploit module.
Schneier notes default Kubernetes seccomp does not block CopyFail
A Schneier on Security post said CVE-2026-31431 exploitation is not prevented by Kubernetes Pod Security Standards (Restricted) or the default RuntimeDefault seccomp profile because the needed syscall remains allowed. The article said defenders need custom seccomp hardening to block this attack path in containerized environments.
Juniper publishes CopyFail product advisory status
Juniper published a product advisory covering the status of CVE-2026-31431 ('CopyFail') across Juniper products. The advisory adds Juniper to the list of vendors formally assessing or disclosing product impact for the Linux kernel vulnerability.
AWS publishes CopyFail security bulletin and product status updates
AWS published a security bulletin covering ongoing updates on CVE-2026-31431 ('CopyFail') and related variants. The bulletin adds AWS to the list of vendors formally disclosing product impact, remediation status, or customer guidance for the Linux kernel vulnerability.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
50 references tracked. Mallory keeps watching after this page renders.
TryHackMe Walkthrough: CVE-2026-31431 - Copy-Fail | by Hibullahi AbdulAzeez | May, 2026 | InfoSec Write-ups
infosecwriteups.com
Open sourceOngoing updates on Copy.fail and variants
aws.amazon.com
Open sourceArticle Detail
supportportal.juniper.net
Open sourceCopy.Fail Linux Vulnerability - Schneier on Security
schneier.com
Open sourceCopy Fail Linux Local Privilege Escalation Exploit (CVE-2026-31431) by offsecguy · Pull Request #21437 · rapid7/metasploit-framework · GitHub
github.com
Open sourceSolving “Copy Fail” CVE-2026-31431 Q/A Lab | by Kiranghimire | May, 2026 | InfoSec Write-ups
infosecwriteups.com
Open sourceCopy Fail Linux Local Privilege Escalation Exploit (CVE-2026-31431) by offsecguy · Pull Request #21431 · rapid7/metasploit-framework · GitHub
github.com
Open sourceGitHub - thinrope/cf-df: copy.fail + Dirty Frag patching-on-the-fly · GitHub
github.com
Open sourceGitHub - thinrope/cf-df: copy.fail + Dirty Frag patching-on-the-fly · GitHub
github.com
Open sourcecopy fail 2: electric boogaloo - afflicted.sh
afflicted.sh
Open sourceoss-sec: Copy Fail 2 / Dirty Frag - n-day from public commit, not embargo break
seclists.org
Open sourceoss-sec: Re: Precise disclosure contents for copyfail (Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation)
seclists.org
Open sourceCette faille critique sous Linux met en danger des millions de sy ...
zdnet.fr
Open sourceVU#260001 - Linux kernel contains local privilege escalation vulnerability (Copy Fail)
kb.cert.org
Open sourceCopy Fail python2.7 support by dledda-r7 · Pull Request #21414 · rapid7/metasploit-framework · GitHub
github.com
Open source'CopyFail' attackers start cashing in on Linux flaw
theregister.com
Open sourceThis critical Linux vulnerability is putting millions of systems at risk - how to protect yours | ZDNET
zdnet.com
Open source'CopyFail' attackers start cashing in on Linux flaw • The Register
go.theregister.com
Open sourceoss-sec: Re: CVE-2026-31431: CopyFail: linux local privilege scalation
seclists.org
Open sourceCopy Fail bug added to CISA's list of known exploited vulnerabilities | news | SC Media
scworld.com
Open sourceCISA flags actively exploited ‘Copy Fail’ Linux kernel flaw enabling root takeover across major distros - unpatched systems may remain vulnerable to attack | Tom's Hardware
tomshardware.com
Open sourceCISA Warns of Linux Kernel 0-Day Vulnerability Exploited in Attacks
cybersecuritynews.com
Open sourceU.S. CISA adds a flaw in Linux Kernel to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceoss-sec: Re: Precise disclosure contents for copyfail (Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation)
seclists.org
Open sourceoss-sec: Re: Precise disclosure contents for copyfail (Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation)
seclists.org
Open sourceoss-sec: Re: Precise disclosure contents for copyfail (Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation)
seclists.org
Open sourceUS government warns of severe CopyFail bug affecting major versions of Linux | TechCrunch
techcrunch.com
Open sourceBreakdown of CVE-2026-31431 (Copy Fail) an Overl00k3d Linux Kernel Vulnerability Enables Privilege Escalation | by Muhammad Ashraf Ali | May, 2026 | InfoSec Write-ups
infosecwriteups.com
Open sourceCopyFail Is the Bugflation Moment - Bugflation
bugflation.com
Open source"Copy Fail" Lands on CISA's KEV: A Nine-Year-Old Linux Bug Becomes a Patch Deadline
darkwebinformer.com
Open sourceCISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV
thehackernews.com
Open sourceDetection: Linux Auditd Copy Fail Privilege Escalation | Splunk Security Content
research.splunk.com
Open sourceoss-sec: Re: Precise disclosure contents for copyfail (Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation)
seclists.org
Open sourceoss-sec: Precise disclosure contents for copyfail (Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation)
seclists.org
Open sourceoss-sec: Re: CVE-2026-31431: CopyFail: linux local privilege scalation
seclists.org
Open sourceoss-sec: Re: Re: CVE-2026-31431: CopyFail: linux local privilege scalation
seclists.org
Open sourceoss-sec: Re: CVE-2026-31431: CopyFail: linux local privilege scalation
seclists.org
Open sourceoss-sec: Re: CVE-2026-31431: CopyFail: linux local privilege scalation
seclists.org
Open sourceoss-sec: Re: CVE-2026-31431: CopyFail: linux local privilege scalation
seclists.org
Open sourceoss-sec: Re: Re: Re: CVE-2026-31431: CopyFail: linux local privilege scalation
seclists.org
Open sourceoss-sec: Re: CVE-2026-31431: CopyFail: linux local privilege scalation
seclists.org
Open sourceoss-sec: Re: Re: Re: CVE-2026-31431: CopyFail: linux local privilege scalation
seclists.org
Open sourceoss-sec: Re: CVE-2026-31431: CopyFail: linux local privilege scalation
seclists.org
Open sourceoss-sec: Re: CVE-2026-31431: CopyFail: linux local privilege scalation
seclists.org
Open sourceoss-sec: Re: Re: CVE-2026-31431: CopyFail: linux local privilege scalation
seclists.org
Open sourceoss-sec: Re: CVE-2026-31431: CopyFail: linux local privilege scalation
seclists.org
Open sourceoss-sec: Re: Re: Re: CVE-2026-31431: CopyFail: linux local privilege scalation
seclists.org
Open sourceoss-sec: Re: Re: Re: CVE-2026-31431: CopyFail: linux local privilege scalation
seclists.org
Open sourceoss-sec: Re: CVE-2026-31431: CopyFail: linux local privilege scalation
seclists.org
Open sourceCopy Fail: Universal Linux Local Privilege Escalation Vulnerability | Wiz Blog
wiz.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Linux Dirty Frag and Copy Fail Flaws Spur Calls for Kernel Killswitch
Linux developers and government defenders are responding to newly disclosed local privilege-escalation flaws **Dirty Frag** and **Copy Fail**, which can let unprivileged users gain root on affected systems. Dirty Frag combines `CVE-2026-43284` and `CVE-2026-43500` in Linux networking components tied to IPSec ESP and RxRPC, while Copy Fail (`CVE-2026-31431`) is a separate AF_ALG cryptographic socket flaw. Researchers said the bugs had existed for years, proof-of-concept exploit material is public, and affected environments include major enterprise distributions such as **RHEL**, **Ubuntu**, **Fedora**, **CentOS Stream**, **AlmaLinux**, and **OpenShift** deployments. The Canadian Centre for Cyber Security warned that Dirty Frag could be chained with remote code execution for more severe compromise and advised organizations to identify exposed systems, disable vulnerable modules where possible, regenerate initramfs, restrict access, reduce privileges, and monitor logs until vendor patches arrive. In parallel, Linux kernel maintainer Sasha Levin proposed an emergency runtime **Killswitch** mechanism that would let administrators temporarily disable vulnerable kernel functions until reboot, aiming to reduce exposure when public disclosure outpaces patch distribution; the proposal remains under review and has not yet been merged.
May 11, 2026
Fragnesia Linux Kernel Flaw Lets Local Users Gain Root via Page Cache Corruption
Researchers disclosed **Fragnesia** (`CVE-2026-46300`), a Linux kernel local privilege escalation flaw that allows an unprivileged local user to gain **root** by corrupting the kernel page cache for read-only files. The bug, discovered by William Bowling of Zellic and the V12 team, is described as a new variant in the Dirty Frag family and affects Linux kernels released before May 13, 2026. It stems from faulty bookkeeping when shared page fragments are merged in socket buffers and can be triggered through the kernel's XFRM **ESP-in-TCP** path, with additional exposure through `rxrpc` on some systems. A public proof-of-concept exploit modifies the in-memory copy of files such as `/usr/bin/su` to spawn a root shell while leaving the on-disk binary unchanged, reducing forensic visibility. Vendors and distributions moved quickly to publish advisories, patches, and mitigations as exploit code became public. AlmaLinux said releases 8, 9, and 10 are affected through `esp4` and `esp6`, with AlmaLinux 9 and 10 also exposed through `rxrpc` when `kernel-modules-partner` is installed, and released backported fixes ahead of upstream vendor updates. Recommended mitigations include disabling or blacklisting the `esp4`, `esp6`, and `rxrpc` kernel modules, restricting unprivileged user namespaces, and monitoring for suspicious namespace creation or XFRM manipulation; AlmaLinux also advised dropping page cache if compromise is suspected. The disclosure comes amid heightened concern over Linux local-root bugs in the same code area, and one cybercrime forum post reportedly advertised a Linux LPE zero-day for sale for **$170,000**.
May 18, 2026
Linux Kernel Privilege Escalation CVE-2026-31431 Draws Patch and PoC Activity
`CVE-2026-31431` is a Linux kernel flaw classified as **CWE-669: Incorrect Resource Transfer Between Spheres** that can enable local privilege escalation to root and, in some cases, bypass isolation boundaries. The Canadian Centre for Cyber Security warned that the impact becomes more severe when the bug is chained with a remote code execution vulnerability, and urged organizations to identify exposed systems, apply vendor fixes, reboot after kernel updates, restrict access, enforce kernel security controls, monitor logs, and segment high-risk or Internet-facing workloads. Vendor and community activity indicates broad exposure across modern Linux platforms. Red Hat lists **RHEL 8**, **RHEL 9**, **RHEL 10**, and corresponding `kernel-rt` packages as affected, while **RHEL 6** and **RHEL 7** are marked not affected because the vulnerable code is absent. Public exploit interest accelerated after Theori published the **"Copy Fail"** technical write-up and proof-of-concept repository, which references testing on **Ubuntu 24.04 LTS**, **Amazon Linux 2023**, **RHEL 10.1**, and **SUSE 16**; Rocky Linux also published related errata, signaling downstream patch availability in enterprise Linux ecosystems.
May 1, 2026