CVE-2026-31431, nicknamed Copy Fail, is a local privilege escalation in the Linux kernel that hands root to any unprivileged user. The exploit is a 732-byte Python script. There are no kernel offsets to chase, no race conditions to win, and no special configuration to enable. If a user can log in, they can become root.
The bug has been sitting in mainline kernels since 2017.
What it actually is
The flaw is in the kernel's cryptographic API, specifically the authencesn template plumbed through the AF_ALG socket interface. A 2017 optimisation made certain page-cache pages writable in a way that lets an unprivileged process perform a controlled four-byte write into the cached copy of any file it can read, including setuid binaries like /usr/bin/su. Flip the right four bytes, and su is yours.
Everyone who ships a recent mainstream kernel is affected: Ubuntu, Debian, RHEL, SUSE, Amazon Linux 2023, Arch, Fedora, Rocky, Alma, Oracle. Patches are out in kernels 6.18.22, 6.19.12, and 7.0, and distributions are rolling them through their normal channels.
Why this one matters
Privilege escalation bugs are a dime a dozen, and they often need a foothold first. The interesting thing about Copy Fail is the combination: it works on essentially every modern Linux box, the exploit is tiny and reliable, and the prerequisite is "any local account."
That last bit is the one to think about. Your production servers probably don't hand out shell accounts. But shared CI runners, jump hosts, developer sandboxes, container hosts running unprivileged user namespaces, and anything with SSH keys floating around the team are all places where "local user" already exists. So is anything an attacker has reached through a web app vulnerability, a leaked SSH key, or a phished developer credential. Copy Fail turns any one of those into a root compromise.
What to do
Patch. Run your normal package manager update on every Linux host you operate. The kernel update needs a reboot to take effect, so plan that in.
If you can't reboot a box quickly, the temporary mitigation is to disable the algif_aead kernel module:
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf
Then unload the module if it's currently loaded. This blocks the attack path. Confirm nothing on the host depends on the AF_ALG AEAD interface first; in practice almost nothing does.
While you're patching, this is a useful prompt to look at the boxes you'd struggle to update in a hurry. Anything you haven't rebooted in a year, anything where the patch process is unclear, anything where you're not sure who has a login. Copy Fail is the latest reminder that "local only" is a thinner barrier than it looks.
How Steelwise can help
Knowing what Linux you've got, what kernel it's on, and how quickly each box can be rebooted is the kind of question we work through with clients. Get in touch.
Further reading
- Copy Fail: 732 Bytes to Root
- BleepingComputer: New Linux Copy Fail flaw gives hackers root on major distros
- Xint: Copy Fail technical analysis