Copy Fail

CVE-2026-31431CVSS 7.8stable

A logic flaw in the Linux kernel's crypto subsystem allows an unprivileged user to perform a controlled 4-byte write into the page cache of read-only files, enabling local privilege escalation.

Details

Write-up
https://copy.fail
CVEs
CVE-2026-31431 CVSS 7.8
Authors
Taeyang Lee, Xint Code
Introduced
72548b093ee3
Patch
a664bf3d603d
Releases
5.10.254, 5.15.204, 6.1.170, 6.6.137, 6.12.85, 6.18.22, 6.19.12

Am I affected?

python3 -c 'import socket; s = socket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET, 0); s.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));'

On a vulnerable or patched system this succeeds silently. On a mitigated system you get PermissionError (algif_aead is blacklisted) or FileNotFoundError (module absent).[1]

Timeline

  1. Reported to Linux kernel security team
  2. Initial acknowledgment
  3. Patches proposed and reviewed
  4. Patch committed to mainline
  5. CVE assigned
  6. Public disclosure, PoC and write-up published[2][3]

Mitigation

Blacklist the algif_aead module

This disables in-kernel AEAD operations via AF_ALG sockets but does not affect IPsec or other kernel crypto users.

echo 'install algif_aead /bin/false' > /etc/modprobe.d/copy-fail.conf
rmmod algif_aead 2>/dev/null

Sources

  1. https://blog.cloudflare.com/copy-fail-linux-vulnerability-mitigation/#bpf-lsm
  2. https://www.openwall.com/lists/oss-security/2026/04/29/23
  3. https://github.com/theori-io/copy-fail-CVE-2026-31431

History