Copy Fail bug lets local users gain root on Linux

Researchers at Xint.io and Theori disclosed Copy Fail, tracked as CVE-2026-31431, a high-severity Linux kernel flaw in the algif_aead cryptographic module. The issue carries a CVSS score of 7.8 and allows an unprivileged local user to corrupt the page cache of setuid binaries and escalate to root on many distributions.

The bug traces to a logic change introduced in an August 2017 kernel commit. An in-place optimization in algif_aead can cause a page-cache page to be placed in the kernel’s writable destination scatterlist for an AEAD operation submitted over an AF_ALG socket. An unprivileged process that opens an AF_ALG socket and drives splice() into that socket can write four controlled bytes into the page cache of any readable file it can access.

The researchers demonstrated a working exploit implemented as a 732-byte Python script. The exploit opens an AF_ALG socket, constructs a small payload, triggers a targeted write into the kernel’s cached copy of a setuid program such as /usr/bin/su, and then calls execve on the modified binary to run code as root. The vulnerability requires local access and is not remotely exploitable on its own.

Because the Linux page cache is shared across processes on a host, the same technique can affect containerized workloads and break container isolation when the host kernel is unpatched. The researchers noted the primitive does not rely on race conditions or leaking kernel offsets, which makes exploitation consistent across many kernel versions and distributions.

Major Linux vendors have published advisories and updates addressing the flaw, including Amazon Linux, Debian, Red Hat Enterprise Linux, SUSE and Ubuntu. System administrators are advised to apply vendor patches and follow official guidance for affected releases.

Bugcrowd researcher David Brumley compared Copy Fail to Dirty Pipe, calling it “the same class of primitive, in a different subsystem.” A Xint.io spokesperson described the vulnerability as “portable, tiny, stealthy, and cross-container.” Researchers added that any local account can leverage the flaw to escalate to full administrative privileges and bypass sandboxing protections if systems remain unpatched.