AI-Era Threat Defense: Use Deception to Expose Attackers Before They Move
Get a Demo

Vulnerabilities

CVE-2026-31431

Copy Fail Decoded: Understanding CVE-2026-31431 in the Linux Kernel

CVSS Gauge
CVSS Needle
CVSS Score: 7.8

Summary

CVE-2026-31431 (“Copy Fail”) is a Linux kernel privilege escalation flaw in AF_ALG and algif_aead. Local users can gain root by corrupting the page cache without changing disk files. A public exploit exists and works across many distributions since 2017, impacting containers, Kubernetes, and CI/CD systems. Immediate patching is recommended.

Urgent Actions Required

  • Apply vendor-issued Linux kernel patches immediately.
  • Reboot systems after patching and verify the active kernel version.
  • Restrict unnecessary local access until remediation is complete.
  • Monitor for unusual privilege escalation or root activity.
  • Apply vendor mitigations if patching is delayed.

Which Systems Are Vulnerable to CVE-2026-31431?

Technical Overview

How Does the CVE-2026-31431 Exploit Work?

The attack typically follows these steps:

CVE-2026-31431

What Causes CVE-2026-31431?

Vulnerability Root Cause: 

The vulnerability comes from faulty memory handling in Linux kernel AF_ALG, specifically algif_aead. An in-place optimization introduced in 2017 allowed cryptographic operations to improperly interact with page cache memory during splice() operations. Local attackers can write to the page cache of privileged binaries without changing disk files. By corrupting cached setuid binaries like /usr/bin/su, they can gain root access.

How Can You Mitigate CVE-2026-31431?

If immediate patching is delayed or not possible:

  • Disable the vulnerable algif_aead functionality using vendor-recommended mitigations.
  • Use boot parameters such as initcall_blacklist=algif_aead_init where supported.
  • Restrict unnecessary local access, shell access, and untrusted workloads on affected systems.
  • Limit access to shared environments such as Kubernetes worker nodes and CI/CD runners.
  • Monitor for suspicious privilege escalation activity or unexpected UID 0 transitions.
  • Audit systems for abnormal su execution, root shells, or unusual AF_ALG and splice() activity.

Which Assets and Systems Are at Risk?

  • Asset Types Affected:
    • Linux systems running vulnerable kernel versions released since 2017
    • Kubernetes worker nodes and containerized Linux environments
    • CI/CD runners and build systems executing untrusted workloads
    • Multi-tenant Linux hosts and shared virtual machine environments
  • Business-Critical Systems at Risk:
    • Kubernetes clusters hosting sensitive workloads or service account tokens
    • CI/CD infrastructure containing build secrets, signing keys, or cloud credentials
    • Shared Linux servers used by multiple users or workloads
    • Systems running privileged binaries such as su, sudo, or other setuid applications
  • Exposure Level:
    • Shared Linux environments where authenticated local access is possible
    • Container platforms where workloads share the host kernel and page cache
    • CI/CD environments running third-party or untrusted code
    • Multi-user Linux systems exposed to shell access or local execution paths

Will Patching CVE-2026-31431 Cause Downtime?

Patch application impact: Moderate downtime impact. Applying fixes requires Linux kernel updates and system reboots. Temporary service interruptions may occur during maintenance windows. Testing is recommended before production rollout.

Mitigation (if immediate patching is not possible): Temporary mitigations can reduce risk but may affect applications using kernel cryptographic functions. Options include disabling algif_aead, blocking the AF_ALG interface, unloading the module, and restricting local access until patches are applied.

How Can You Detect CVE-2026-31431 Exploitation?

Exploitation Signatures:

Look for unusual use of AF_ALG sockets together with splice() operations targeting SUID binaries such as /usr/bin/su. Monitoring for repeated su executions by unexpected parent processes may indicate exploitation activity.

MITRE ATT&CK Mapping: 

  • T1068 - Exploitation for Privilege Escalation
  • T1611 - Escape to Host

Indicators of Compromise (IOCs/IOAs):

  • Non-root users launching su through uncommon parent processes
  • Correlated execution of curl and su linked to Copy Fail PoC activity
  • Use of AF_ALG sockets with splice() system calls by unprivileged users
  • Unexpected modification of the in-memory behavior of SUID binaries without file changes on disk

Behavioral Indicators: 

  • Privilege escalation to root from standard local accounts
  • Container escape activity on shared Linux hosts
  • Execution anomalies involving su, sudo, or other privileged binaries
  • Cryptographic checksum failures or EBADMSG errors from AF_ALG operations

Alerting Strategy:

  • Priority: High
  • Trigger alerts for:
    • Unprivileged use of AF_ALG with splice()
    • Non-root execution of su from abnormal parent processes
    • Concurrent curl and su activity associated with known PoC behavior
    • Suspicious privilege escalation or container breakout events

Remediation & Response

  • Remediation Timeline:
    • Immediate: Apply temporary mitigations such as disabling algif_aead or blocking the AF_ALG interface.
    • As soon as possible: Deploy vendor-issued Linux kernel updates and reboot affected systems.
    • After patching: Verify vulnerable kernel versions are no longer running across production and container environments.
  • Rollback Plan:
    • If issues occur after patching, restore the previous stable kernel version following internal change-management procedures.
    • Re-enable temporary mitigations if rollback is required before a fixed kernel can be redeployed.
  • Incident Response Considerations:
    • Isolate affected Linux systems if suspicious privilege escalation activity is detected.
    • Collect logs related to AF_ALG, splice(), su, and unusual root-level activity.
    • Investigate possible container escape or unauthorized root access attempts.
    • Monitor for suspicious execution patterns involving curl, su, or abnormal parent-child process behavior after remediation.

Compliance & Governance Notes

  • Audit Trail Requirement:
    • Record Linux kernel update deployment details, including affected systems and patched kernel versions.
    • Maintain logs related to AF_ALG, splice(), su, and suspicious privilege escalation activity.
    • Track mitigation changes such as disabling algif_aead or blocking the AF_ALG interface.
    • Monitor and document suspicious container escape or root escalation events during investigations.
  • Policy Alignment:
    • Update vulnerability management processes to prioritize urgent Linux kernel security updates.
    • Review hardening policies for local access, SELinux enforcement, and non-root workload execution.
    • Update incident response procedures to include Linux kernel privilege escalation and container escape scenarios.
    • Review controls for shared Linux environments, including container clusters and CI/CD systems.

Detect Attackers Early with Intelligent Deception

      • Learn how decoys and breadcrumbs trap attackers
      • Discover high-fidelity alerts for faster detection
      • Improve visibility with cyber terrain mapping
Download Data Sheet

Explore the full CVE database for broader vulnerability coverage and context.

CVSS Breakdown Table 

MetricValue Description
Base Score7.8High-severity Linux kernel privilege escalation vulnerability
Attack VectorLocalExploitation requires local access to the affected Linux system
Attack ComplexityLowThe exploit is reported to work reliably without race conditions or special timing
Privileges RequiredLowAn unprivileged local user can trigger the vulnerability
User Interaction NoneNo user action is required for exploitation
Scope Unchanged The vulnerability impacts the affected Linux kernel environment
Confidentiality Impact HighSuccessful exploitation can provide unauthorized root-level access
Integrity Impact HighAttackers can alter the in-memory page cache of privileged binaries
Availability ImpactHighFull system compromise can affect overall system stability and security

References:

  1. NVD – CVE-2026-31431
  2. CVE Record: CVE-2026-31431

Vulnerability Overview 

CVE ID: CVE-2026-31431

CVE Title: Linux Kernel AF_ALG Local Privilege Escalation (“Copy Fail”)

Severity: High

CVSS Score: 7.8

Exploit Status: Public proof-of-concept (PoC) and active exploitation reported

Business Risk: Successful exploitation lets local users gain root access, escape containers, compromise Kubernetes and CI/CD environments, and access sensitive data on affected Linux systems.

Compliance Impact: Potential exposure of sensitive data, privileged credentials, and shared workloads may affect compliance requirements related to access control, workload isolation, and system integrity.

Identifying CVEs Cover Banner

Related Readings

One Platform for All Adversaries

See Fidelis in action. Learn how our fast and scalable platforms provide full visibility, deep insights, and rapid response to help security teams across the World protect, detect, respond, and neutralize advanced cyber adversaries.

Get a Demo