Copy Fail (CVE-2026-31431): A 9-Year-Old Linux Bug That Gives Any Local User Root — No Race Condition Required
CVE-2026-31431, dubbed Copy Fail, is a local privilege escalation flaw in every Linux kernel since 2017. A 732-byte Python script reliably achieves root with no race condition, affecting Ubuntu, RHEL, Debian, and virtually every other distribution.
Every major Linux distribution is currently shipping emergency kernel patches for CVE-2026-31431, a local privilege escalation flaw nicknamed Copy Fail that has been sitting in the kernel since 2017. Any unprivileged local user can gain root using a 732-byte Python exploit — no race condition, no special permissions, no timing tricks.
What the Bug Is
The vulnerability lives in algif_aead, a kernel module that provides the AEAD (Authenticated Encryption with Associated Data) interface to userspace cryptographic applications. A logic error introduced in 2017 allows an unprivileged user to write exactly 4 controlled bytes into the page cache of any readable file on the system.
The page cache is the kernel’s in-memory copy of files. When you target a privileged binary — say, /usr/bin/sudo — you can modify the kernel’s cached version without touching the file on disk. The underlying file stays clean; the kernel runs your tampered copy. The result: root.
CVE: CVE-2026-31431
CVSS v3: 7.8 (High)
Component: Linux kernel algif_aead (cryptographic subsystem)
Affected kernels: All versions from 2017 to the present patched releases
Exploit requirements: Local code execution as a regular (unprivileged) user
Remote exploitation: Not directly — but pair it with any web app or container escape and it becomes an immediate root path
Why It’s Worse Than Dirty Cow
Dirty Cow (2016) required winning a race condition. Dirty Pipe (2022) was reliable but limited in scope. Copy Fail is worse on both counts: the exploit is deterministic — the same Python script works across Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, Debian, Fedora, Arch, and every other mainstream distribution running an unpatched kernel.
Wiz researchers, who disclosed the bug, enumerated the scope: “any unprivileged local user can reliably gain root, and the same exploit works on virtually every modern Linux distribution.”
The Fix
All major distributions have either shipped patches or have them in imminent release:
- Ubuntu: Patches available now —
sudo apt update && sudo apt upgrade - RHEL / CentOS / Rocky: RHSB-2026-02 advisory — update via
dnf update kernel - Debian / Fedora / Arch: Security updates in standard channels
- Amazon Linux 2023: Patch available in the AMI update stream
- CloudLinux: Patched kernel available; live-patching via KernelCare for no-reboot deployments
If you cannot apply the kernel patch immediately, the interim mitigation is to blacklist the vulnerable module:
echo "blacklist algif_aead" | sudo tee /etc/modprobe.d/algif_aead.conf
sudo modprobe -r algif_aeadNote: blacklisting only works if the module is not currently loaded and not required by other kernel features. Check lsmod | grep algif_aead first.
Who Needs to Act
If you run Linux — on bare metal, in VMs, or in containers where the kernel is shared — you are affected. Cloud environments where multiple tenants share a kernel (certain managed Kubernetes setups, VPS providers using container-based isolation) have elevated exposure because any tenant achieving local execution can escalate to host-level access.
Apply the kernel update. Reboot. Then verify: uname -r should reflect the patched version listed in your distribution’s advisory.
The PoC for Copy Fail will be public before the week is out. The window between patched kernel availability and working public exploit is the time you have.