{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/260001#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nA privilege escalation vulnerability has been discovered in Linux kernel versions version 4.17 (released 2017) and later. Many popular distributions and Linux-based containers are affected. This vulnerability was publicly disclosed on April 29, 2026, has been assigned CVE ID [CVE-2026-31431](https://www.cve.org/CVERecord?id=CVE-2026-31431), and is commonly referred to as \"Copy Fail.\" \r\n\r\n### Description\r\nThe Linux kernel, since version 4.17, includes the `algif_aead` module, which provides user space access to authenticated encryption with associated data (AEAD) operations via the `AF_ALG` interface. This module may be available as a loadable kernel module or compiled directly into the kernel, depending on the Linux distribution or the custom built Linux install.\r\n\r\nAccording to the [https://copy.fail](https://copy.fail) disclosure statement:\r\n> An unprivileged local user can write 4 controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root.\r\n\r\nThe vulnerability is caused by a logic flaw in the Linux kernel’s `algif_aead` (`AF_ALG)` implementation. An unprivileged local user can reliably perform a controlled 4-byte write into the page cache of any readable file without race conditions or timing dependencies.\r\n\r\nCritically, the corrupted page is not marked dirty, so the modified contents are never written back to disk. The underlying file remains unchanged, allowing the in-memory corruption to bypass checksum and file integrity verification mechanisms. Because subsequent reads are served from the page cache, an attacker can target a `setuid` binary and modify its in-memory contents to achieve local privilege escalation to root.\r\n\r\nA 732-byte proof-of-concept [Python script](https://github.com/theori-io/copy-fail-CVE-2026-31431) demonstrates exploitation by modifying a `setuid` binary to obtain root privileges on many Linux distributions released since 2017. This vulnerability was discovered by Taeyang Lee of Theori, with assistance from their AI-based static application security testing (SAST) tool, Xint Code, during analysis of the Linux kernel cryptographic subsystem. \r\n\r\n### Impact\r\nThis vulnerability allows an unprivileged local user to modify the in-memory contents of a `setuid` binary and escalate privileges to root. [Public proof-of-concept (PoC)](https://certcc.github.io/SSVC/howto/gathering_info/exploitation/#public-poc) exploit code is available, therefore increasing the likelihood of exploitation.\r\n\r\n### Solution\r\n#### Patch the Kernel\r\nApply the upstream kernel [patch](https://github.com/torvalds/linux/commit/72548b093ee38a6d4f2a19e6ef1948ae05c181f7) that addresses the issue by reverting `AF_ALG` AEAD to an out-of-place operation. \r\n\r\n#### Update Linux distribution\r\nUpdate your distribution’s kernel package as soon as vendor patches become available. Most major Linux distributions are expected to release fixes through their standard update channels.\r\n\r\n#### Workarounds (if patching is not immediately possible):\r\n1. Disable the `algif_aead` module (if loadable):\r\n`echo \"install algif_aead /bin/false\" > /etc/modprobe.d/disable-algif-aead.conf`\r\n`rmmod algif_aead 2>/dev/null`\r\nThis prevents the module from being loaded and removes it if already active.\r\n\r\n2. If `algif_aead` is compiled into the kernel (not a dynamic module), the following parameter can be added to grub or systemd-boot or grubby depending on your boot configuration:\r\n`initcall_blacklist=algif_aead_init`\r\nThis prevents the module from initializing at boot time. A system reboot is required for this change to take effect.\r\n\r\nNote: These workarounds may impact applications that rely on `AF_ALG` cryptographic interfaces.\r\n\r\n#### Mitigation for containers \r\nFor containerized environments, where this vulnerability may be leveraged for container escape, consider applying one or more of the following mitigations:\r\n\r\n* Secure computing (seccomp) filtering: Restrict or deny system calls that create sockets using the AF_ALG address family (protocol 38).\r\n* AppArmor policies: Use AppArmor to block creation of AF_ALG sockets via the network alg rule.\r\n* eBPF-based enforcement: Deploy BPF-based controls to deny socket creation with address family AF_ALG (38).\r\n\r\nThis is adopted from the guidance provided by [bytedance for the vArmor community](https://github.com/bytedance/vArmor/blob/main/website/docs/guides/policies_and_rules/built_in_rules/vulnerability_mitigation.md#copy-fail-mitigation). \r\n\r\n#### Note on Virtualization\r\nWhile the internal kernel within a virtual machine (VM) or MicroVM is susceptible to this vulnerability, standard virtualization provides hardware-enforced memory isolation. This bug cannot be directly leveraged to facilitate a virtualization escape from a *guest* to the *host*. Virtualization and micro-virtualization technologies effectively contain the impact to the individual VM instance, protecting the host kernel and neighboring tenants from guest-originated attacks.\r\n\r\n\r\n### Acknowledgements\r\nThis vulnerability was disclosed by Theori.io research group. This document was written by Bob Kemerer and Vijay Sarvepalli.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"SUSE and openSUSE distributions were affected by this problem and have received kernel updates and kernel live patches.","title":"Vendor statment from SUSE Linux"},{"category":"other","text":"Arista has limited exposure across some products. As a summary: EOS is not affected. CloudVision Portal is affected in limited circumstances. Please see https://www.arista.com/en/support/advisories-notices/security-advisory/24004-security-advisory-0136 for detailed information including all other products.","title":"Vendor statment from Arista Networks"},{"category":"other","text":"Please see [https://github.com/torvalds/linux/commit/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5](https://github.com/torvalds/linux/commit/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5) for the actual patch, along with [https://www.openwall.com/lists/oss-security/2026/04/29/23](https://www.openwall.com/lists/oss-security/2026/04/29/23)","title":"CERT/CC comment on Linux Kernel notes"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/260001"},{"url":"https://xint.io/blog/copy-fail-linux-distributions","summary":"https://xint.io/blog/copy-fail-linux-distributions"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31431","summary":"https://nvd.nist.gov/vuln/detail/CVE-2026-31431"},{"url":"https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available","summary":"https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available"},{"url":"https://github.com/torvalds/linux/commit/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5","summary":"https://github.com/torvalds/linux/commit/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5"},{"url":"https://copy.fail/","summary":"https://copy.fail/"},{"url":"https://github.com/theori-io/copy-fail-CVE-2026-31431","summary":"https://github.com/theori-io/copy-fail-CVE-2026-31431"},{"url":"https://www.stream.security/post/cve-2026-31431-how-copy-fail-behaves-in-kubernetes","summary":"https://www.stream.security/post/cve-2026-31431-how-copy-fail-behaves-in-kubernetes"},{"url":"https://github.com/iwanhae/copyfail-ebpf-k8s","summary":"https://github.com/iwanhae/copyfail-ebpf-k8s"},{"url":"https://www.suse.com/c/suse-responds-to-the-copy-fail-vulnerability/","summary":"Reference(s) from vendor \"SUSE Linux\""},{"url":"https://support.scc.suse.com/s/kb/Security-vulnerability-Copy-Fail-local-root-exploit-vulnerability-CVE-2026-31431","summary":"Reference(s) from vendor \"SUSE Linux\""},{"url":"https://github.com/NixOS/nixpkgs/pull/515023","summary":"Reference(s) from vendor \"NixOS\""},{"url":"https://github.com/NixOS/nixpkgs/pull/515037","summary":"Reference(s) from vendor \"NixOS\""},{"url":"https://github.com/NixOS/nixpkgs/pull/515585","summary":"Reference(s) from vendor \"NixOS\""}],"title":"Linux kernel contains local privilege escalation vulnerability (Copy Fail)","tracking":{"current_release_date":"2026-05-08T20:10:44+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.39"}},"id":"VU#260001","initial_release_date":"2026-05-08 19:23:15.660266+00:00","revision_history":[{"date":"2026-05-08T20:10:44+00:00","number":"1.20260508201044.3","summary":"Released on 2026-05-08T20:10:44+00:00"}],"status":"final","version":"1.20260508201044.3"}},"vulnerabilities":[{"title":"In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data.","notes":[{"category":"summary","text":"In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly."}],"cve":"CVE-2026-31431","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#260001"}],"product_status":{"known_affected":["CSAFPID-028bef3e-4ba6-11f1-b6a6-02b4d23962c7","CSAFPID-028c1720-4ba6-11f1-b6a6-02b4d23962c7","CSAFPID-028c3e44-4ba6-11f1-b6a6-02b4d23962c7"],"known_not_affected":["CSAFPID-028c5cbc-4ba6-11f1-b6a6-02b4d23962c7","CSAFPID-028c8840-4ba6-11f1-b6a6-02b4d23962c7"]}}],"product_tree":{"branches":[{"category":"vendor","name":"SUSE Linux","product":{"name":"SUSE Linux Products","product_id":"CSAFPID-028bef3e-4ba6-11f1-b6a6-02b4d23962c7"}},{"category":"vendor","name":"Arista Networks","product":{"name":"Arista Networks Products","product_id":"CSAFPID-028c1720-4ba6-11f1-b6a6-02b4d23962c7"}},{"category":"vendor","name":"NixOS","product":{"name":"NixOS Products","product_id":"CSAFPID-028c3e44-4ba6-11f1-b6a6-02b4d23962c7"}},{"category":"vendor","name":"Linux KVM","product":{"name":"Linux KVM Products","product_id":"CSAFPID-028c5cbc-4ba6-11f1-b6a6-02b4d23962c7"}},{"category":"vendor","name":"Linux Kernel","product":{"name":"Linux Kernel Products","product_id":"CSAFPID-028c8840-4ba6-11f1-b6a6-02b4d23962c7"}}]}}