Researchers disclosed CVE-2026-31431, dubbed CopyFail, a Linux local privilege escalation flaw in the kernel crypto subsystem's algif_aead/AF_ALG AEAD path that lets a low-privileged local user corrupt the page cache of readable files and gain root. The bug traces to a 2017 in-place AEAD optimization introduced in Linux 4.14 by commit 72548b093ee3, which allowed splice-backed file pages to be reused as writable crypto buffers; attackers can then achieve a controlled write into the cached copy of targets such as setuid binaries while leaving the on-disk file unchanged. Researchers published a compact Python proof of concept said to work reliably across major distributions including Ubuntu, RHEL, SUSE, Amazon Linux, Debian, Fedora, and Arch, and warned the shared page cache also makes the flaw relevant for container escapes, CI runners, and multi-tenant cloud hosts.
Upstream fixed the issue by reverting algif_aead to out-of-place operation in Linux 7.0, 6.19.12, and 6.18.22, while older long-term branches initially lagged because the patch did not apply cleanly and required backports or workaround patches. Major vendors and downstream projects began shipping advisories and kernel updates, and temporary mitigations included disabling or blacklisting algif_aead, blocking AF_ALG socket creation with seccomp or eBPF, or using the kernel boot parameter initcall_blacklist=algif_aead_init where the feature was built in. After public exploit code spread and additional exploit ports appeared, CISA added the flaw to its Known Exploited Vulnerabilities catalog, and defenders published detections focused on suspicious AF_ALG, splice(), and setuid execution activity because traditional file-integrity checks may miss the in-memory-only tampering.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
21 events from the most recent confirmed update back to the earliest known activity.
Linux kernel developers merged crypto subsystem updates for the Linux 7.2 merge window that formally deprecated the AF_ALG interface, citing its attack surface and recent security issues including CopyFail. The merged changes also removed AF_ALG-related hardware offload, zero-copy support, and AIO support on sockets as part of the cleanup.
Xint published a follow-up showing how CopyFail could poison shared container image layers and even the host's runc binary via /proc/<pid>/exe, enabling pod-to-host escape. The write-up expanded the public understanding of CopyFail beyond setuid-binary privilege escalation.
A new public GitHub repository for CopyFail was published containing fully functional exploit code in multiple languages plus diagnostic scripts. The post noted that unpatched systems remained vulnerable despite stable-kernel fixes already being available.
Splunk published a separate detection analytic for Linux PF_ALG protocol family registration occurring more than 300 seconds after boot, describing it as a kernel-level indicator of CopyFail exploitation on Debian- and Ubuntu-family systems. The analytic uses linux_messages_syslog data to spot delayed AF_ALG loading by unprivileged processes and notes legitimate post-boot loading scenarios that can create false positives.
Splunk published the "Linux Malformed Auth Entry" analytic to detect suspicious `su` executions where the invoking username is missing from `linux_secure` logs, a condition it linked to page-cache corruption and possible CopyFail privilege escalation. The detection was associated with CVE-2026-31431, mapped to ATT&CK T1068, and configured to generate intermediate risk events in Splunk Enterprise Security.
Eric Biggers reported that AF_ALG had been marked deprecated by its maintainer in the wake of CopyFail. He tied the decision to AF_ALG's recurring vulnerability history and zero-copy attack surface.
Eric Biggers submitted a kernel patch to remove zero-copy support from AF_ALG skcipher and AEAD operations, citing CopyFail and similar bugs as justification. The change preserved compatibility while forcing internal copies for safety.
Red Hat's advisory timeline states its first product fix for RHEL 9 became available on May 4, 2026. The advisory also documented mitigations and hardening guidance for affected environments.
Splunk released an Auditd-based analytic to detect CopyFail exploitation by correlating AF_ALG socket activity, splice syscalls, and execution of setuid binaries. The rule was added to its Linux Privilege Escalation analytic story.
Mailing-list participants demonstrated that an unprivileged user could trigger modprobe for net-pf-38 and algif-aead simply by requesting an AF_ALG socket. This showed the vulnerable module need not be preloaded to be reachable.
AlmaLinux published a security notice saying it built and shipped patched kernels using the upstream fix before CentOS Stream and RHEL updates were available. The notice said all supported AlmaLinux releases were affected.
CISA added CVE-2026-31431 to its Known Exploited Vulnerabilities catalog, marking it as actively exploited. Federal agencies were directed to remediate by May 15, 2026.
Eric Biggers posted AF_ALG fix backport series for older stable branches including 6.12, 6.1, 5.15, and 5.10. These postings addressed the gap left because the original fix did not apply cleanly to older kernels.
By April 30, 2026, major Linux distributions had begun issuing patches or advisories for CopyFail. References specifically mention Debian, Ubuntu, SUSE, and Red Hat moving to patch or publish guidance.
oss-security participants reported that adding initcall_blacklist=algif_aead_init to the kernel command line and rebooting blocked the public exploit, including on systems where algif_aead was built into the kernel. Testing on Rocky Linux 9.7 showed the exploit worked before the change and failed afterward.
Researchers publicly disclosed CopyFail and released technical details and a working proof-of-concept exploit. The disclosure described a deterministic local privilege escalation via AF_ALG and page-cache corruption affecting major Linux distributions.
The Linux kernel CVE team announced CVE-2026-31431 for the algif_aead flaw, and vulnerability feeds note the CVE was published on April 22, 2026. The announcement identified affected and fixed kernel versions.
oss-security discussion states the CopyFail fix had been backported into stable releases 6.18.22 and 6.19.12 by April 11, 2026. At that time, older long-term branches still lacked backports.
Linux committed the upstream fix reverting algif_aead to out-of-place operation. Multiple references state the fix landed on April 1, 2026, after the issue was reported.
Researchers reported CVE-2026-31431 to the Linux kernel security team, with several sources stating the report was made on March 23, 2026. Later discussion says a working exploit was provided during private reporting.
Linux commit 72548b093ee3 introduced in-place AEAD handling in algif_aead, the change later identified as the root cause of CopyFail. Multiple references state this commit landed in August 2017 and introduced the vulnerable behavior.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
50 references tracked. Mallory keeps watching after this page renders.
secpod.com
Open sourcesecpod.com
Open sourcephoronix.com
Open sourcevulncheck.com
Open sourcebugflation.com
Open sourceopenwall.com
Open sourcelore.kernel.org
Open sourcemainekhacker.medium.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.