Copy Fail (CVE-2026-31431): What the Latest Linux Privilege Escalation Means for Australian Defenders
- May 1
- 3 min read
A 732-byte Python script. That is all it takes to go from an unprivileged shell to root on almost every Linux distribution shipped since 2017. The flaw, dubbed Copy Fail and tracked as CVE-2026-31431, was disclosed on 29 April by researchers from Theori and Xint after sitting unnoticed in the Linux kernel for nine years.
What Happened
Copy Fail is a logic bug in the Linux kernel's authencesn AEAD cryptographic template, reachable through the AF_ALG socket interface. By chaining the flaw with splice(), an unprivileged local user can perform a deterministic 4-byte write into the page cache of any readable file on the system. The published proof-of-concept points that primitive at /usr/bin/su, modifies its in-memory copy, and produces a root shell. CVSS scores it 7.8 (High), and the same exploit binary runs unmodified on Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16. Theori reported the bug to the kernel security team on 23 March, mainline patched it on 1 April with commit a664bf3d603d, and the Xint Code write-up confirms the fix reverts a 2017 in-place optimisation in algif_aead.c.
Why It Matters
Australian organisations running multi-tenant Linux hosts, Kubernetes clusters, CI runners, or notebook environments are firmly inside the blast radius. Because the page cache is shared across the host kernel, a compromised pod or sandboxed function can cross container boundaries and reach the underlying node, an immediate concern for anyone hosting customer workloads or running self-hosted GitHub Actions runners on a shared kernel. The modification happens entirely in memory, which means file-integrity tools watching /usr/bin/su on disk will not see anything wrong.
The same 732-byte exploit binary works unmodified on every Linux distribution shipped since 2017.
What Security Teams Should Do Now
Patch kernels to a build that includes mainline commit a664bf3d603d. Most major distributions are now shipping the fix; check vendor advisories for Ubuntu, RHEL, SUSE, Debian, Amazon Linux, Oracle, and Rocky.
Where a reboot window is days away, blacklist the module with 'echo install algif_aead /bin/false > /etc/modprobe.d/disable-algif.conf' and rmmod algif_aead. dm-crypt, kTLS, IPsec, and OpenSSL default builds do not go through AF_ALG, so the practical breakage is minimal.
On container hosts, block AF_ALG socket creation with seccomp profiles regardless of patch state. Treat it as defence in depth alongside the kernel update.
Audit CI environments. Self-hosted runners that execute pull-request code as a regular user should be patched first; a malicious PR is a viable delivery vector.
Review detection coverage for in-memory tampering of setuid binaries. EDR rules tied only to on-disk file hashes will miss this entirely.
Verify exposure with the published PoC inside an isolated lab, never on production, to confirm patches have actually landed where you expect them.
Aurian's Take
Copy Fail is a reminder that the most consequential bugs are rarely the loudest. A small optimisation slipped into algif_aead.c in 2017 sat in production kernels for nine years, shipped in every mainstream distribution, and gave any local user a clean path to root. The exploit needs no race window, no kernel-specific offsets, no exotic primitives, just a regular shell and a few hundred bytes of Python. Bugs of this shape do not get found by signature-based scanners or compliance checklists. They get found by people working through subsystems line by line, and increasingly by people working alongside code-aware AI tooling that can do the same.
This is the work regular penetration testing and security assurance is built for. Aurian helps Australian organisations through penetration testing and security assessment that pressure-test the assumptions baked into their Linux estates: which hosts are genuinely single-tenant, where untrusted code actually executes, whether container boundaries hold under a real privilege-escalation chain, and whether monitoring catches in-memory tampering rather than only on-disk changes. The teams who came out of this disclosure with a calm Wednesday morning had patched the moment vendor advisories landed and already knew which workloads ran on shared kernels.
Copy Fail will not be the last quiet logic flaw to surface from the kernel's older subsystems, and the next one will not announce itself any louder. To find out how Aurian can help your organisation assess its exposure, get in touch.
Comments