Start a project

← All posts

Copy Fail: The Linux Flaw That Gives Any User Root

· Dracode · security · linux · infrastructure · developer-tools

What Copy Fail Actually Does

CVE-2026-31431, publicly disclosed April 29, is a local privilege escalation flaw in the Linux kernel that lets an unprivileged user become root. No race conditions, no special capabilities, no kernel modules required. A 732-byte Python script runs on essentially every Linux distribution built since 2017 and hands the attacker a root shell.

The vulnerability lives in algif_aead, the kernel module that exposes AEAD (authenticated encryption with associated data) operations to userspace through the AF_ALG socket interface. When you pair an AF_ALG socket with splice(), the kernel places page-cache pages directly into a writable scatter-gather list as an in-place optimization introduced in 2017 (commit 72548b093ee3). The result: an unprivileged process can write four controlled bytes to any readable page in the system’s page cache — including the in-memory copy of a setuid binary like /usr/bin/su.

Why 732 Bytes Is Enough

The exploit is deterministic. It doesn’t race anything or bet on kernel ASLR positions. The target is the page cache itself, which backs in-memory copies of files.

By calling AF_ALG with the authencesn(hmac(sha256),cbc(aes)) algorithm template, the kernel’s scatter-gather logic oversteps the intended output buffer and writes four bytes into the chained page-cache page of any readable file. The attacker targets a setuid binary, overwrites a critical byte in its in-memory copy, and runs it. Because the kernel page cache reflects the modified bytes, the next execve of that binary uses the modified version — with the SUID bit still set.

The upstream fix (mainline commit a664bf3d603d, merged April 1) simply reverts the 2017 in-place optimization. The bug was present for nine years before discovery, which is why CISA added it to their Known Exploited Vulnerabilities catalog on May 4 with a May 15 remediation deadline for federal agencies.

The Cloud and Container Blast Radius

On a traditional server the threat model is clear: any shell access — a web shell in a compromised app, a misconfigured SSH key, an RCE in a background service — can immediately escalate to root. In cloud and container environments it gets worse.

The page cache is shared across containers on the same host. Microsoft’s security team ran a detailed analysis and concluded the vulnerability “allows unauthorized escalation of privileges to root, impacting a significant portion of cloud Linux workloads and millions of Kubernetes clusters.” A process inside a container that achieves local code execution can target setuid binaries within the container filesystem, then use the resulting root privileges to escape to the host.

Copy Fail doesn’t provide remote code execution by itself — it amplifies whatever foothold an attacker already has. Microsoft’s guidance is pointed: “Treat any container RCE as potential host compromise and enforce rapid node recycling after compromise indicators.”

Affected Systems and Patch Status

Every Linux kernel from version 4.14 (2017) through 6.19.12 is affected. That spans essentially every production Linux workload running today.

Patch status as of May 7:

  • Ubuntu: Fixes available via sudo apt update && sudo apt upgrade. The Ubuntu Security Team also released an interim kmod package that disables the affected module without requiring a reboot. Ubuntu 26.04 (Resolute) ships an unaffected kernel.
  • Debian: Patched in kernel 6.12.85-1 (Trixie) and 6.1.170-1 (Bookworm) via the security repository.
  • RHEL / AlmaLinux / Rocky Linux: AlmaLinux published patched kernels using the upstream revert. Red Hat lists the CVE on their security tracker; check dnf updateinfo list security for your release.
  • Amazon Linux 2023 / SUSE 16 / Fedora / Arch: All affected — monitor your distro’s security channel.

Mitigation If You Cannot Patch Today

On Debian and Ubuntu, a modprobe rule blocks the vulnerable module until you can reboot into a patched kernel:

echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif.conf
sudo rmmod algif_aead 2>/dev/null || true

On RHEL-family systems where algif_aead is compiled directly into the kernel (CONFIG_CRYPTO_USER_API_AEAD=y), this modprobe approach does nothing — the module cannot be unloaded. Your only reliable mitigations there are patching, or restricting shell access as aggressively as possible: no untrusted code execution, containerized workloads with read-only root filesystems, and seccomp profiles that block AF_ALG socket creation.

For detection, Microsoft Defender surfaces Exploit:Python/CopyFail.A and Behavior:Linux/CVE-2026-31431. For non-Defender environments, watch for unexpected AF_ALG socket creation by non-privileged processes and any su or sudo execution immediately following a splice() call chain from an unexpected parent process.

What This Means for the Products We Ship

Copy Fail is the most concrete argument this year for keeping your Linux patch SLA under 24 hours for CISA KEV entries, not 14 days. Nine years from introduction to disclosure is a long time for a bug that trivially elevates any authenticated user to root.

The apps we build and ship run on managed cloud infrastructure where kernel patching is largely the provider’s responsibility. But the APIs and background services that power those apps frequently run on self-managed Linux VMs or Kubernetes nodes — and that’s where this bites. Our standing practice is to reboot into patched kernels within 24 hours of a CISA KEV listing. Copy Fail is the case study for why that cadence exists.

If you’re running infrastructure for a mobile product and want a second opinion on your exposure, we’re easy to reach.

Sources

  1. Copy Fail: 732 Bytes to Root on Every Major Linux Distribution — Xint, April 29, 2026
  2. CVE-2026-31431: Copy Fail vulnerability enables Linux root privilege escalation across cloud environments — Microsoft Security Blog, May 1, 2026
  3. Fixes available for CVE-2026-31431 (Copy Fail) Linux Kernel Local Privilege Escalation Vulnerability — Ubuntu Security, 2026
  4. US government warns of severe CopyFail bug affecting major versions of Linux — TechCrunch, May 4, 2026
  5. Copy Fail (CVE-2026-31431) Patches Released — AlmaLinux, May 1, 2026