CVE-2026–31431 ("Copy Fail") represents one of the most broadly exploitable Linux local privilege escalation (LPE) flaws in recent years, combining architectural reach with unusually deterministic exploitation. Affecting essentially all mainstream Linux distributions built between 2017 and early 2026, the vulnerability stems from a long-lived logic error in the kernel crypto subsystem — specifically the algif_aead interface exposed via AF_ALG sockets.

Unlike prior high-profile LPEs such as Dirty COW or Dirty Pipe, Copy Fail does not rely on race conditions, memory corruption primitives, or kernel-version-specific offsets. Instead, it exploits a flawed optimization introduced in 2017 that allows page cache–backed memory pages to be incorrectly inserted into a writable destination scatterlist during authenticated encryption operations. When combined with the splice() system call, this enables a controlled, in-place modification of page cache contents.

In practical terms, an unprivileged local user can leverage this flaw to perform a precise 4-byte write into the page cache of a setuid binary — for example /bin/su. Because the page cache is shared across processes, this modification immediately affects subsequent executions of the binary, allowing the attacker to inject code paths that yield a root shell. Crucially, the attack targets in-memory cache pages rather than the underlying filesystem, meaning no persistent file modification occurs, and traditional file integrity monitoring tools remain blind to the compromise.

A defining characteristic of Copy Fail is its operational simplicity and portability. The public proof-of-concept is a minimal 732-byte Python script using only standard library modules (os, socket, zlib), and has been demonstrated to work unmodified across distributions including Ubuntu 24.04, Amazon Linux 2023, RHEL 10, and SUSE 16. The exploit requires only a regular user account, no elevated capabilities, no special kernel configuration, and no race timing—yielding a 100% reliable privilege escalation path across a near decade-long kernel window.

The security impact is particularly acute in environments built on shared kernel trust boundaries. Multi-tenant systems — such as Kubernetes clusters, container hosting platforms, CI/CD runners, and shell-access development servers — are especially vulnerable. In these contexts, Copy Fail enables cross-container and cross-tenant escalation, effectively collapsing isolation guarantees by allowing any tenant-controlled workload to gain host-level root privileges. Similarly, SaaS platforms executing user-supplied code (e.g., notebooks, serverless runtimes, agent sandboxes) face immediate risk of full infrastructure compromise.

Even in more traditional deployments, the vulnerability materially lowers the barrier for complete system takeover. On single-tenant servers, it provides a trivial post-exploitation step following web application RCE or credential compromise. On developer workstations and laptops, while not directly enabling remote access, it ensures that any local code execution — malicious or otherwise — can escalate to full administrative control without resistance.

Mitigation is clear-cut but time-sensitive. The upstream Linux kernel patch (mainline commit a664bf3d603d) removes the unsafe in-place optimization in algif_aead, preventing page cache pages from being used as writable crypto destinations. All major distributions have begun rolling out patched kernels. Until updates are applied, administrators can effectively neutralize the attack by disabling the algif_aead module via modprobe configuration and unloading it from the running kernel. This workaround has minimal practical impact, as AF_ALG serves primarily as a userspace interface to kernel crypto and is not utilized by most standard cryptographic stacks (OpenSSL, GnuTLS, NSS, SSH, IPsec, or dm-crypt).

For defense-in-depth, especially in sandboxed or multi-tenant environments, restricting AF_ALG socket creation via seccomp policies is strongly advised, regardless of patch status.

The disclosure timeline underscores a relatively fast coordinated response: the issue was reported to the Linux kernel security team in late March 2026, patched in mainline by early April, assigned a CVE in late April, and publicly disclosed shortly thereafter. Notably, the vulnerability was identified using AI-assisted code analysis, highlighting a growing trend toward automated discovery of deep, non-obvious logic flaws in mature codebases.

In sum, Copy Fail is significant not because of exploit complexity, but because of its absence: a compact, architecture-agnostic, and fully reliable exploit against a ubiquitous kernel subsystem. It reinforces a critical shift in the threat landscape — where subtle logic errors in widely deployed primitives can yield systemic risk across the entire Linux ecosystem.