CVE-2026-31431 (Copy Fail): Linux Kernel LPE
None
<p>The post <a href="https://www.mend.io/blog/linux-copy-fail-lpe-cve-2026-31431/">CVE-2026-31431 (Copy Fail): Linux Kernel LPE</a> appeared first on <a href="https://www.mend.io">Mend</a>.</p><p>A new <a href="https://www.bleepingcomputer.com/news/security/new-linux-copy-fail-flaw-gives-hackers-root-on-major-distros/" rel="noreferrer noopener">Linux kernel LPE</a> disclosed by <a href="https://theori.io/products/xint" rel="noreferrer noopener">Theori/Xint</a> lets any unprivileged local user become root with a 732-byte Python script. Works first try, no race, no per-kernel offsets. CVSS 7.8 (High), effectively critical for shared-kernel and multi-tenant environments.</p><h2 class="wp-block-heading" id="the-bug"><strong>The bug</strong></h2><p>A logic flaw in the <a href="https://thehackernews.com/2026/04/new-linux-copy-fail-vulnerability.html" rel="noreferrer noopener">kernel’s algif_aead</a> (introduced in 4.14, July 2017), reached via AF_ALG and splice(), gives a deterministic 4-byte write into the page cache of any readable file, including setuid binaries.</p><ul class="wp-block-list"> <li>No race, no per-kernel offsets, works first try.</li> <li>On-disk file is unchanged, so file-integrity tools won’t catch it.</li> <li>Page cache is shared across the host, making this a container escape primitive on Kubernetes nodes from any pod that can create AF_ALG sockets.</li> </ul><h2 class="wp-block-heading" id="whos-affected"><strong>Who’s affected</strong></h2><p>Every kernel from 4.14 until the fix. Theori verified root on Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16. The same exploit works unmodified on Debian, Fedora, Rocky, Alma, Oracle, Arch. Fixed in 6.18.22, 6.19.12, and 7.0.</p><h2 class="wp-block-heading" id="what-to-do"><strong>What to do</strong></h2><p>Most distros had not shipped patched kernels at disclosure. Mitigate first, patch when available.</p><ol class="wp-block-list"> <li>Disable algif_aead on every host:</li> </ol><pre class="wp-block-code"><code>echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf rmmod algif_aead 2>/dev/null || true</code></pre><p>Safe to apply: does not affect dm-crypt, kTLS, IPsec, OpenSSL, SSH, or kernel keyring crypto. Only impacts apps explicitly using the OpenSSL afalg engine.</p><ol start="2" class="wp-block-list"> <li>Block AF_ALG via seccomp for untrusted workloads, such as K8s pods, CI runners, and agent sandboxes.</li> <li>Patch the kernel as soon as your distro ships the fix, then reboot.</li> <li>Prioritize: multi-tenant K8s nodes, then CI runners, then production servers, then workstations.</li> </ol><h2 class="wp-block-heading" id="for-cloud-native-teams"><strong>For cloud-native teams</strong></h2><p>Kernel CVEs don’t appear in image SBOMs, so detection belongs at the node layer. Workloads running under hardware virtualization (Firecracker for Lambda, Fargate) or kernel reimplementations (gVisor, V8 isolates) are not exposed to the host kernel’s AF_ALG path.</p><h2 class="wp-block-heading" id="references"><strong>References</strong></h2><ul class="wp-block-list"> <li><a href="https://copy.fail/" rel="noreferrer noopener">https://copy.fail/</a></li> <li><a href="https://xint.io/blog/copy-fail-linux-distributions" rel="noopener">https://xint.io/blog/copy-fail-linux-distributions</a></li> <li><a href="https://www.openwall.com/lists/oss-security/2026/04/29/23" rel="noreferrer noopener">https://www.openwall.com/lists/oss-security/2026/04/29/23</a></li> <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2026-31431" rel="noreferrer noopener">https://nvd.nist.gov/vuln/detail/CVE-2026-31431</a></li> </ul><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/04/cve-2026-31431-copy-fail-linux-kernel-lpe/" data-a2a-title="CVE-2026-31431 (Copy Fail): Linux Kernel LPE"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fcve-2026-31431-copy-fail-linux-kernel-lpe%2F&linkname=CVE-2026-31431%20%28Copy%20Fail%29%3A%20Linux%20Kernel%20LPE" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fcve-2026-31431-copy-fail-linux-kernel-lpe%2F&linkname=CVE-2026-31431%20%28Copy%20Fail%29%3A%20Linux%20Kernel%20LPE" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fcve-2026-31431-copy-fail-linux-kernel-lpe%2F&linkname=CVE-2026-31431%20%28Copy%20Fail%29%3A%20Linux%20Kernel%20LPE" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fcve-2026-31431-copy-fail-linux-kernel-lpe%2F&linkname=CVE-2026-31431%20%28Copy%20Fail%29%3A%20Linux%20Kernel%20LPE" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fcve-2026-31431-copy-fail-linux-kernel-lpe%2F&linkname=CVE-2026-31431%20%28Copy%20Fail%29%3A%20Linux%20Kernel%20LPE" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.mend.io">Mend</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Dor Hayun">Dor Hayun</a>. Read the original post at: <a href="https://www.mend.io/blog/linux-copy-fail-lpe-cve-2026-31431/">https://www.mend.io/blog/linux-copy-fail-lpe-cve-2026-31431/</a> </p>