A flaw in the Linux kernel present since 2017 allows a local user to gain root access on virtually every major Linux distribution. A public exploit is available and reported to work reliably.
Key Takeaways
- CVE-2026-31431 is a high severity local privilege escalation vulnerability in the Linux kernel reportedly affecting virtually every major distribution released since 2017.
A public exploit is available and reported to be reliable, drawing comparisons to previous high-profile Linux kernel privilege escalation flaws.
Patched kernel versions are available, though some major distributions have not yet shipped updates.
Background
Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding CVE-2026-31431, a Linux kernel local privilege escalation vulnerability dubbed “Copy Fail.”
FAQ
When was Copy Fail first disclosed? On March 23, researcher Taeyang Lee of Theori reported the vulnerability to the Linux kernel security team. The flaw was discovered in part using Theori’s AI-assisted security scanning tool, Xint Code. A mainline patch was committed on April 1, CVE-2026-31431 was assigned on April 22 and public disclosure occurred on April 29. What is CVE-2026-31431? CVE-2026-31431 is a local privilege escalation vulnerability in the Linux kernel’s cryptographic subsystem. It was assigned a CVSSv3 score of 7.8.
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2026-31431 | Linux Kernel Local Privilege Escalation Vulnerability | 7.8 |
The flaw allows a local user to modify the kernel’s cached copy of a file in memory without changing the file on disk. By targeting a privileged binary, an attacker can gain root access. Because the modification exists only in the page cache, the underlying file on disk remains unchanged. Standard disk forensics would not detect the alteration, and clearing memory through a reboot or resource pressure causes the cache to reload from the original file. For a detailed technical breakdown, refer to the Xint Code blog post.
Everyone focuses on memory corruption bugs in the Linux kernel, but we shouldn’t overlook logical bugs. t.co/PrSI435i35, 5unkn0wn (@5unKn0wn) April 30, 2026 How does Copy Fail compare to Dirty Cow and Dirty Pipe? Copy Fail has drawn comparisons to two other well-known Linux kernel privilege escalation vulnerabilities: Dirty Cow (CVE-2016-5195) and Dirty Pipe (CVE-2022-0847). Both are in the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog. Dirty Cow relied on a race condition, which meant exploitation could fail or require multiple attempts. Dirty Pipe had constraints around how data could be written and where in a file it could be modified. Copy Fail reportedly works consistently across distributions without relying on a race condition or write-position constraints. How severe is CVE-2026-31431? Any local user on a system running a vulnerable kernel can exploit this flaw to gain root access. The exploit uses kernel features that are enabled by default on most distributions and does not require special privileges or configuration. The highest risk environments are those where multiple users or workloads share a Linux kernel: cloud and multi-tenant systems, container clusters and CI/CD pipelines that run untrusted code. Because the exploit targets the kernel’s shared file cache, it can also cross container boundaries. On single-user systems, the risk is lower since an attacker would already need local access. Which Linux distributions are affected? Any Linux distribution shipping kernel 4.14 or later is affected. The vulnerability was introduced in 2017 and persisted across nearly a decade of kernel releases. Distribution patch status as of April 30:
Distribution Patch Status Ubuntu Patching SUSE Patching Red Hat Patching Debian Vulnerable Amazon Linux Vulnerable Arch Linux Patched Is there a proof-of-concept (PoC) available? Yes. A public PoC was released on GitHub alongside the disclosure. The exploit is a short Python script that modifies a privileged binary in memory and then executes it to obtain root. It is reported to work reliably without requiring multiple attempts or precise timing. Are there other vulnerabilities related to Copy Fail? According to Theori, the same research effort that uncovered Copy Fail found additional security flaws in the kernel, at least one of which is also a privilege escalation issue. Those findings remain under coordinated disclosure. This blog will be updated if and when additional information becomes available. Are patches or mitigations available? Patched kernel versions have been released:
Affected Kernel Version Range Fixed Kernel Version 4.14 N/A 5.10.* 5.10.254 5.15.* 5.15.204 6.1.* 6.1.170 6.6.* 6.6.137 6.12.* 6.12.85 6.18.* 6.18.22 6.19.12 6.19.12 >7.0 7.0 The fix removes the 2017 optimization that allowed the vulnerability, restoring a safer separation between read and write operations in the kernel’s crypto interface. For systems where an immediate kernel update is not feasible, two workarounds are available depending on kernel configuration. If the module is loaded dynamically (CONFIG_CRYPTO_USER_API_AEAD=m):
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf rmmod algif_aead 2>/dev/null -- trueIf the module is compiled into the kernel (CONFIG_CRYPTO_USER_API_AEAD=y), which is the case on some enterprise kernels, the above will not work. Contributors on the oss-security mailing list have reported that adding the following to the kernel boot parameters and rebooting blocks the exploit:
initcall_blacklist=algif_aead_initDiscussion on the oss-security mailing list has also identified several userspace applications that use the affected kernel interface, including but not limited to, cryptsetup and firefox-esr. In practice, initial testing by contributors on the thread has not caused these applications to fail, but the impact may vary by workload. Testing in a non-production environment before deploying either workaround is advisable. Historical exploitation of Linux kernel vulnerabilities The Linux kernel has a long history as a target for privilege escalation attacks. CISA’s KEV catalog contains over 20 entries for Linux kernel flaws, including the two flaws most commonly compared to Copy Fail:
CVE Description Date Added to KEV Known Ransomware Use CVE-2016-5195 Linux Kernel Race Condition (Dirty Cow) 2022-03-03 Unknown CVE-2022-0847 Linux Kernel Improper Initialization (Dirty Pipe) 2022-04-25 Unknown As of April 30, CVE-2026-31431 is not listed in the KEV catalog. Has Tenable Research classified this as part of Vulnerability Watch? Yes, we classified CVE-2026-31431 as a Vulnerability of Interest under Vulnerability Watch due to the availability of a public proof-of-concept exploit and historical exploitation of similar Linux kernel vulnerabilities like Dirty Cow and Dirty Pipe that were exploited in the wild. Has Tenable released any product coverage for this vulnerability? A list of Tenable plugins for this vulnerability can be found on the CVE-2026-31431 page as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.
Get more information
Copy Fail Advisory Xint Code Blog: Copy Fail Linux Distributions The Register: Linux Cryptographic Code Flaw oss-security: CVE-2026-31431 Disclosure Join Tenable’s Research Special Operations (RSO) Team on the Tenable Community. Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
First seen on securityboulevard.com
Jump to article: securityboulevard.com/2026/04/copy-fail-cve-2026-31431-frequently-asked-questions-about-linux-kernel-privilege-escalation-vulnerability/
