By rssfeeds-admin Tracked as CVE-2026-31431 and dubbed “Copy Fail,” the flaw was discovered by Theori researcher Taeyang Lee and weaponized into a full exploit chain by the Xint Code Research Team using AI-assisted analysis.
Unlike race-condition-based predecessors such as Dirty Cow (CVE-2016-5195) or Dirty Pipe (CVE-2022-0847).
Linux Kernel 0-Day “Copy Fail”
Copy Fail refers to a straight-line logic bug in the Linux kernel’s authencesn cryptographic template, reachable via the AF_ALG socket interface, combined with the splice() system call.
It requires no race-winning, no kernel version offsets, no recompilation, and no compiled payloads.
A single 732-byte Python script using only standard library modules achieves deterministic root access across every tested distribution and architecture, a remarkably low barrier for a local privilege escalation exploit.
The vulnerability originates from a 2017 in-place optimization introduced to algif_aead.c (commit 72548b093ee3).
When a user splices a file into a pipe and feeds it into an AF_ALG socket, the AEAD input scatterlist holds direct references to kernel page cache pages of that file not copies.
For AEAD decryption, algif_aead.c sets req->src = req->dst, making both the source and destination points point to the same combined scatterlist. This places page cache pages into a writable destination scatterlist.
The authencesn algorithm used by IPsec for 64-bit Extended Sequence Number (ESN) support, then uses the caller’s destination buffer as scratch space, writing 4 bytes at offset assoclen + cryptlen past the declared output boundary directly into the chained page cache pages.
Three independent code changes across 2011, 2015, and 2017 converged to create this exploitable condition, with no developer connecting their intersection for nearly a decade.
The exploit targets the kernel’s page cache, the in-memory representation of files. By triggering a controlled 4-byte write into a page cache page belonging to any readable file, the attacker corrupts an in-memory setuid binary such as /usr/bin/su.
Because the kernel never marks the corrupted page as dirty for writeback, the on-disk file remains untouched, causing checksum-based file integrity tools to miss the modification entirely.
The vulnerability was introduced with kernel 4.14 and affects all unpatched distributions. Independent testing confirmed root shell execution on:
| Distribution | Kernel Version |
|---|---|
| Ubuntu 24.04 LTS | 6.17.0-1007-aws |
| Amazon Linux 2023 | 6.18.8-9.213.amzn2023 |
| RHEL 10.3 | 6.12.0-124.45.1.el10_1 |
| SUSE 16 | 6.12.0-160000.9-default |
Beyond local privilege escalation, according to Xint Code research, Copy Fail functions as a Kubernetes container escape primitive.
Because the page cache is shared across all processes on a host, including across container boundaries, a compromised container can corrupt setuid binaries visible to other containers and the host kernel.
Patch and Mitigations
The official fix (commit a664bf3d603d) reverts algif_aead.c to out-of-place AEAD operation, permanently separating TX and RX scatterlists, eliminating the sg_chain() linkage that exposed page cache pages.
Pending kernel updates, administrators should apply these immediate mitigations:
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf
rmmod algif_aead 2>/dev/nullThe vulnerability was reported to the Linux kernel security team on March 23, 2026; patched on April 1, 2026; CVE assigned on April 22, 2026; and publicly disclosed on April 29, 2026.
System administrators are strongly urged to apply kernel updates immediately.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Linux Kernel 0-Day “Copy Fail” Affects Distros Since 2017 appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.