A severe vulnerability has been identified in the Linux kernel under the reference CVE-2026-31431, nicknamed “Copy Fail”. It allows a local user without special privileges to deterministically obtain root rights. Public proof-of-concept code exists and active exploitation has been confirmed.
Technical details
The flaw lies in the algif_aead module, which exposes authenticated encryption (AEAD) operations via AF_ALG sockets. In in-place processing mode, when source and destination buffers share the same memory structures, the authencesn(hmac(sha256),cbc(aes)) algorithm performs an uncontrolled 4-byte write beyond the declared output region, directly into kernel cache pages.
This out-of-bounds write allows corruption of the in-memory view of readable files — without modification on disk — such as /usr/bin/su or /etc/passwd, leading to privilege escalation to root.
- Type: CWE-669 — incorrect resource transfer between memory spheres
- Vector: local, low complexity, no user interaction
- CVSS v3.1 score: 7.8 (High)
- Full vector:
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected systems
Linux kernels compiled between 2017 and April 2026 are potentially vulnerable. The main affected distributions:
| Distribution | Affected versions |
|---|---|
| Ubuntu | 20.04, 22.04, 24.04 |
| Debian | 11, 12, 13 |
| Red Hat / RHEL | 8, 9, 10, 10.1 |
| Amazon Linux | 2023 |
| SUSE / openSUSE | 16 |
| Arch, Fedora, Rocky, AlmaLinux | Recent versions |
Ubuntu 26.04 and kernels ≥ 6.18.22, ≥ 6.19.12 or ≥ 7.0 are not affected.
Remediation steps
1. Update the kernel (priority action)
Apply the fixed versions as soon as possible:
Linux kernel ≥ 6.18.22
Linux kernel ≥ 6.19.12
Linux kernel ≥ 7.0
Patches are available on kernel.org and via distribution update channels.
2. Temporary mitigation
If the patch cannot be applied immediately, disable the algif_aead module:
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
rmmod algif_aead 2>/dev/null || true
3. Containerised environments
For Kubernetes clusters and CI/CD environments: block AF_ALG socket creation via a seccomp policy, even on systems not yet patched.
Priorities
This vulnerability has been listed in the CISA KEV (Known Exploited Vulnerabilities) catalogue since 1 May 2026 with a remediation deadline of 15 May 2026. Kubernetes nodes, multi-user servers and continuous integration environments must be treated as a priority.
Heavy Mind managed IT clients
Servers under a Heavy Mind managed IT contract received immediate attention. Patches have been deployed across all affected environments — no action required on your end.
Not a managed IT client?
We can support you on this vulnerability — and beyond. Heavy Mind offers:
- Linux server audit: inventory of exposed kernels, attack surface analysis and verification of mitigations in place
- Patch deployment: controlled kernel update rollout with regression testing
- Monitoring setup: proactive detection of future critical vulnerabilities across your server fleet
Let's talk about your needs and build the right solution together.
Contact usSources: NVD / NIST · CERT-EU Advisory 2026-005 · Cyberveille Santé