Hopp til innhald
Publisert: 5. mai 2026
~8 min lesing

Copy Fail (CVE-2026-31431): Nine-Year-Old Linux Flaw Gives Anyone Root

A logic flaw in the Linux kernel's cryptography layer, introduced in 2017 and discovered by an AI code scanner, lets any unprivileged user escalate to root on virtually every Linux system running today. The exploit is public, the proof of concept is 732 bytes, and all major distributions are affected — including Kubernetes nodes and AKS clusters.

What is the bug?

Copy Fail (CVE-2026-31431) is a logic flaw in the algif_aead module of the Linux kernel — the component that exposes cryptographic operations to userspace programs via the AF_ALG socket interface. The flaw was introduced by a memory optimization in 2017 and went undetected for nine years [1].

The mechanism is precise: when the kernel runs the authencesn(hmac(sha256),cbc(aes)) template and userspace feeds data through splice(), the kernel sets source and destination to the same memory address (req->src = req->dst). This causes page cache pages from any readable file to be chained into the output scatterlist. The algorithm then writes four bytes of scratch data into those pages — directly into the kernel’s in-memory copy of the file [2].

The critical point: nothing changes on disk. The file appears untouched to all file integrity monitoring tools. Only the in-memory copy held by the kernel is overwritten. If an attacker targets a setuid binary — such as su, sudo, or passwd — and injects shellcode into the page cache, the next privileged process to execute that binary is compromised [3].

The Theori researchers who found the flaw described the process: “Xint Code used roughly one hour and a single operator prompt to identify the flaw in the crypto/ subsystem — no custom test harness required” [1].

Who is affected?

Every Linux system running kernel 4.14 (2017) through 6.19.12 is vulnerable. This includes:

  • Ubuntu 20.04, 22.04, 24.04 LTS and earlier
  • Debian 11 Bullseye, 12 Bookworm
  • Red Hat Enterprise Linux, AlmaLinux, Rocky Linux
  • SUSE Linux Enterprise and openSUSE
  • Amazon Linux 2023
  • Arch Linux, Fedora, and most other distributions

Ubuntu 26.04 Resolute and later with kernel ≥ 6.19.13 are not affected. CISA has added CVE-2026-31431 to its Known Exploited Vulnerabilities (KEV) catalogue and ordered US federal civilian agencies to patch by 15 May 2026 [2].

Risk and impact

The CVSS score is 7.8 (High). This is a local privilege escalation (LPE): an attacker first needs code execution on the system — for example as an unprivileged web server user, via a compromised SSH key, or through a vulnerable web application. From there, reaching root is trivial.

The public proof of concept (copy_fail_exp.py) is 10 lines of Python and 732 bytes. A C port also exists. The exploit is deterministic — no race conditions, no timing dependencies [1]. Reliable, race-free LPE of this kind is rare.

Kubernetes and AKS

Container escape is fully possible. The algif_aead module is not loaded by default on AKS nodes, but kernel module autoloading pulls it in automatically when any process opens an AF_ALG socket of type AEAD — including from an unprivileged container. The attack chain:

  1. Attacker gains code execution in a pod (via an application vulnerability)
  2. Code opens an AF_ALG socket → kernel autoloads algif_aead
  3. splice() attacks run → host node page cache is manipulated
  4. Attacker escalates to root on the node
  5. Node root grants access to all other pods, secrets, and kubelet credentials

For AKS, affected node images include Ubuntu 20.04 FIPS, Ubuntu 22.04, and Ubuntu 24.04, as well as Azure Linux 3.0. Azure Linux 2.0 (Mariner) and Windows node pools are not affected [4] [6].

Upgrade the node image (recommended):

az aks nodepool upgrade \
  --resource-group <resource-group> \
  --cluster-name <cluster-name> \
  --name <nodepool-name> \
  --node-image-only

This is a rolling upgrade. Nodes with correct PodDisruptionBudget configurations will not drop traffic. Nodes already on image version 202604.24.0 or later have automatically received the mitigation via Custom Script Extension (CSE) [6].

A self-service mitigation DaemonSet for existing nodes that cannot be reimaged immediately is available in AKS advisory #5753 on GitHub.

For self-managed Kubernetes clusters, apply the same kernel patch procedure as for regular Linux servers.

dotnet publish and Chiseled containers

dotnet publish infers Ubuntu as the default base image for container builds. For .NET 9 and .NET 10 this is typically mcr.microsoft.com/dotnet/aspnet:X.0-noble (Ubuntu 24.04). That image runs on the host kernel — and if the host kernel is vulnerable, container escape is possible as described above [7].

Switching to Ubuntu Chiseled images does not directly protect against Copy Fail, since the flaw lives in the host kernel, not the container image. But Chiseled reduces the attack surface in two meaningful ways:

Harder initial access. Chiseled images contain only the packages .NET actually needs — no shell (bash, sh), no package manager, no setuid binaries, and no Python interpreter. This makes it significantly harder for an attacker to gain a usable foothold and run the exploit.

Fewer vulnerabilities overall. A full Ubuntu image pulls in several hundred packages. Each is a potential entry point. Chiseled removes almost all of them, dramatically reducing CVE exposure.

Set the base image in the project file:

<PropertyGroup>
  <ContainerBaseImage>mcr.microsoft.com/dotnet/aspnet:9.0-noble-chiseled</ContainerBaseImage>
</PropertyGroup>

Or directly on the command line:

dotnet publish --os linux --arch x64 /t:PublishContainer \
  -p ContainerBaseImage=mcr.microsoft.com/dotnet/aspnet:9.0-noble-chiseled

If the application requires globalization (ICU), time zones, or stdc++, use the chiseled-extra variant:

dotnet publish --os linux --arch x64 /t:PublishContainer \
  -p ContainerBaseImage=mcr.microsoft.com/dotnet/aspnet:9.0-noble-chiseled-extra

chiseled-extra is still far leaner than full Ubuntu, but adds icu, tzdata, and stdc++ for applications that depend on them [7].

Am I affected?

Check your kernel version:

uname -r

Versions between 4.14 and 6.19.12 are vulnerable. Check whether the module is currently loaded:

grep -qE '^algif_aead ' /proc/modules \
  && echo "VULNERABLE: module is loaded" \
  || echo "Module not loaded (can still be autoloaded)"

On RHEL-based distributions, algif_aead is compiled into the kernel (CONFIG_CRYPTO_USER_API_AEAD=y) and will not appear in /proc/modules, but it is still active [5].

How to patch

Step 1 — Interim workaround (Debian/Ubuntu, not RHEL):

echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif.conf
sudo rmmod algif_aead 2>/dev/null || true

This does not affect dm-crypt/LUKS, kTLS, IPsec, OpenSSL, GnuTLS, or SSH [3].

On RHEL/AlmaLinux/Rocky the modprobe workaround does not work because the module is built into the kernel. Use the grubby approach from your distribution’s advisory, or update the kernel directly.

Step 2 — Permanent fix: update the kernel:

# Debian / Ubuntu
sudo apt update && sudo apt full-upgrade

# RHEL / AlmaLinux / Rocky
sudo dnf update kernel

# Arch
sudo pacman -Syu linux

Reboot and confirm the new kernel with uname -r.

Have I already been compromised?

Because the exploit only modifies the page cache and not the on-disk file, classic file integrity monitoring tools such as AIDE or Tripwire will not detect an attack. Active detection is required.

Check for AF_ALG activity in system logs:

sudo journalctl -g "AF_ALG\|algif_aead\|splice" --since "2026-04-29" | head -50

Compare page cache against disk for setuid binaries:

The IOC toolkit from researcher “kadir” automates this:

git clone https://github.com/kadir/copy-fail-CVE-2026-31431-IOC
cd copy-fail-CVE-2026-31431-IOC
sudo python3 copyfail_detector.py

The tool uses eBPF to monitor AF_ALG socket activity and reads the page cache directly via procfs, comparing it against the known on-disk hash of each setuid binary [2].

YARA rules for known exploit artefacts are available in Neo23x0’s signature-base collection under expl_copy_fail_cve_2026_31431.yar.

Also check for unexpected setuid files with a recent ownership change:

find /usr /bin /sbin -perm -4000 -newer /var/log/dpkg.log 2>/dev/null

An unpatched server or node accessible to unprivileged users should be treated as potentially compromised until proven otherwise.


C1 [1] Theori / Xint, “Copy Fail: 732 Bytes to Root on Every Major Linux Distribution”, Xint.io, 29 April 2026. Original technical disclosure including PoC code and attack description.

B1 [2] I. Arghire, “Nine-year-old Linux kernel flaw enables reliable local privilege escalation (CVE-2026-31431)”, Help Net Security, 30 April 2026. Summary of technical details, CISA KEV status, and scope.

A1 [3] CERT-EU, “High Vulnerability in the Linux Kernel (‘Copy Fail’)”, CERT-EU Security Advisory 2026-005, 30 April 2026. Authoritative advisory with mitigation commands.

A2 [4] Microsoft Security Response Center, “CVE-2026-31431: Copy Fail vulnerability enables Linux root privilege escalation across cloud environments”, Microsoft Security Blog, 1 May 2026. Analysis of cloud exposure and Kubernetes risk.

A2 [5] Ubuntu Security Team, “Fixes available for CVE-2026-31431 (Copy Fail)”, Ubuntu Blog, 1 May 2026. Official patch instructions and explanation of the RHEL built-in module issue.

A2 [6] AKS Engineering, “CVE-2026-31431 (Copy Fail) — AKS Advisory & Mitigation Guide”, GitHub Azure/AKS #5753, 1 May 2026. Official AKS advisory with DaemonSet mitigation and node pool upgrade commands.

A2 [7] Microsoft / Canonical, ”.NET Ubuntu Chiseled container images”, dotnet/dotnet-docker, 2026. Documentation for Chiseled and chiseled-extra image variants and ContainerBaseImage configuration.