Security News 8 min read May 9, 2026

CopyFail (CVE-2026-31431): What You Need to Know and How to Protect Your Infrastructure

A 732-byte Python exploit can give any local user root access on nearly every Linux kernel shipped since 2017. Here's what CopyFail is, how it works, and what to do right now.

What Is CopyFail?

CopyFail (CVE-2026-31431) is a local privilege escalation vulnerability in the Linux kernel's cryptographic subsystem. It allows any unprivileged local user to gain full root access on affected systems — deterministically, without race conditions, and using a tiny 732-byte Python script that works unchanged across distributions.

The vulnerability was introduced in 2017 by an optimization in algif_aead.c and affects every Linux kernel version from 4.14 through 6.19.12. That means Ubuntu, RHEL, Debian, SUSE, Amazon Linux, Fedora, and essentially every Linux distribution deployed in production today has been vulnerable for almost a decade.

7.8
CVSS score (High severity)
9 years
vulnerability existed undetected in kernel
732 bytes
size of the full working exploit

How CopyFail Works

CopyFail exploits the kernel's AF_ALG (crypto API) interface to perform controlled 4-byte writes directly into the page cache of readable files. The attack flow is straightforward:

  1. The attacker opens a readable setuid binary (like /usr/bin/sudo or /usr/bin/passwd) through the AF_ALG interface
  2. The kernel's AEAD (Authenticated Encryption with Associated Data) implementation contains a flaw in how it handles output buffers
  3. The attacker triggers a controlled 4-byte write into the page cache — the kernel's in-memory copy of the file
  4. By corrupting specific bytes of the setuid binary in memory, the attacker can redirect execution flow
  5. When any user (or the attacker themselves) executes the corrupted setuid binary, the attacker's code runs as root
CopyFail Attack Flow 1. Open setuid binary via AF_ALG 2. Trigger AEAD buffer overflow 3. Write 4 bytes to page cache 4. Execute binary → ROOT ACCESS Why CopyFail Is More Dangerous Than Previous Kernel LPEs • No race condition — works 100% reliably on first attempt (unlike Dirty Cow) • Works across all distros unchanged — single 732-byte exploit (unlike Dirty Pipe) • In-memory only — no on-disk changes, evades traditional file integrity monitoring • Targets page cache of setuid binaries — standard forensics won't detect it

CopyFail exploits the AF_ALG crypto interface to corrupt setuid binaries in the page cache without touching disk

Why CopyFail Is Especially Dangerous for Infrastructure

Unlike many kernel vulnerabilities that require specific configurations or timing, CopyFail is uniquely dangerous because of its reliability and stealth:

Critical Risk Factors

Deterministic exploitation: No race conditions, no timing dependencies. The exploit works every time on the first attempt.

Universal compatibility: A single 732-byte Python script works on every affected distribution without modification.

Forensic evasion: The corruption exists only in the page cache (RAM). The file on disk remains unchanged, meaning traditional file integrity monitoring (AIDE, Tripwire, OSSEC) won't detect the compromise.

Who Is Most at Risk?

  • Multi-tenant cloud environments — any tenant with local access can escalate to root
  • Kubernetes clusters — container escape becomes trivial once root is obtained on the host kernel
  • CI/CD runners — build jobs with local access can compromise the entire runner fleet
  • Shared development servers — any developer account can escalate to root
  • Bastion hosts — the single point of access becomes the single point of compromise

Affected Systems

Distribution Affected Versions Fix Available
Ubuntu 16.04+ (kernel 4.14+) Yes — USN updates released
RHEL / CentOS RHEL 7+ (kernel 4.14+) Yes — RHSA advisories published
Debian Stretch+ (kernel 4.14+) Yes — DSA updates available
Amazon Linux AL2 and AL2023 Yes — ALAS advisories published
SUSE / openSUSE SLE 15+ (kernel 4.14+) Yes — SUSE-SU updates
Fedora All supported versions Yes — Bodhi updates

Immediate Mitigation Steps

If you cannot patch immediately, you can mitigate CopyFail by disabling the vulnerable kernel module:

# Disable the algif_aead module
echo "install algif_aead /bin/true" | sudo tee /etc/modprobe.d/copyfail.conf

# Unload if currently loaded
sudo modprobe -r algif_aead 2>/dev/null

This prevents the AF_ALG AEAD interface from being loaded. Most server workloads don't use this module directly — it's primarily used by user-space cryptographic applications. However, you should verify your applications don't depend on it before deploying this mitigation.

Long-Term Fix

  • Patch immediately: Update to kernel versions 6.19.13+ or your distribution's fixed kernel
  • Audit access: Review who has local shell access to production systems
  • Reduce blast radius: Implement least-privilege access so fewer accounts can reach vulnerable hosts
  • Monitor for exploitation: Watch for unusual AF_ALG socket creation in audit logs

What This Means for Access Management

CopyFail is a stark reminder that local access is root access when kernel vulnerabilities exist. The vulnerability's 9-year existence proves that relying on kernel security alone is insufficient — you must control who gets local access in the first place.

This is exactly why modern access management principles matter:

  • Just-in-Time access: Don't give standing SSH access to production servers. Grant time-limited sessions only when needed.
  • Session recording: Every shell session should be recorded so exploitation attempts are visible.
  • Least privilege: Reduce the number of humans with local access to production kernels.
  • Identity-based access: Know exactly who accessed which server and when — not shared credentials that obscure attribution.

With a platform like OnePAM, you can ensure that even if a kernel LPE exists, the number of people who can exploit it is minimized, every access session is audited, and access expires automatically.

Reduce Your Exposure to Kernel-Level Threats

OnePAM's Just-in-Time access ensures fewer people have standing access to vulnerable systems. Session recording catches exploitation attempts. Auto-expiring access limits your blast radius.

Start Free Trial

Timeline

Date Event
2017 Vulnerable optimization added to algif_aead.c in Linux kernel 4.14
April 2026 Vulnerability discovered and reported
April 30, 2026 Public disclosure and CVE-2026-31431 assigned
May 2026 Patches rolling out across all major distributions

Key Takeaways

Action Items

1. Patch now. Update all Linux systems to patched kernel versions immediately.

2. Mitigate. If patching isn't immediate, disable the algif_aead module.

3. Audit access. Review who has shell access to production. Remove unnecessary standing access.

4. Adopt JIT access. CopyFail proves that local access = root access. Minimize who has it and for how long.

CopyFail joins the lineage of Dirty Cow (2016) and Dirty Pipe (2022) as a reminder that Linux kernel privilege escalation vulnerabilities are not theoretical — they are practical, reliable, and dangerous. The best defense isn't just patching (though you must patch) — it's ensuring that fewer people have local access to your production infrastructure in the first place.

CVE CopyFail Linux Privilege Escalation Kernel
OnePAM Team
Security & Infrastructure Team

Keep Reading