Copy Fail
A logic flaw in the Linux kernel's crypto subsystem allows an unprivileged user to perform a controlled 4-byte write into the page cache of read-only files, enabling local privilege escalation.
Details
- Write-up
- https://copy.fail
- CVEs
- CVE-2026-31431 CVSS 7.8
- Authors
- Taeyang Lee, Xint Code
- Introduced
- 72548b093ee3
- Patch
- a664bf3d603d
- Releases
- 5.10.254, 5.15.204, 6.1.170, 6.6.137, 6.12.85, 6.18.22, 6.19.12
Am I affected?
python3 -c 'import socket; s = socket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET, 0); s.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));'On a vulnerable or patched system this succeeds silently. On a mitigated system you get PermissionError (algif_aead is blacklisted) or FileNotFoundError (module absent).[1]
Timeline
- Reported to Linux kernel security team
- Initial acknowledgment
- Patches proposed and reviewed
- Patch committed to mainline
- CVE assigned
- Public disclosure, PoC and write-up published[2][3]
Mitigation
Blacklist the algif_aead module
This disables in-kernel AEAD operations via AF_ALG sockets but does not affect IPsec or other kernel crypto users.
echo 'install algif_aead /bin/false' > /etc/modprobe.d/copy-fail.conf
rmmod algif_aead 2>/dev/nullSources
- https://blog.cloudflare.com/copy-fail-linux-vulnerability-mitigation/#bpf-lsm
- https://www.openwall.com/lists/oss-security/2026/04/29/23
- https://github.com/theori-io/copy-fail-CVE-2026-31431