Linux flaw 'Copy Fail' roots hosts

Linux has a new local privilege-escalation bug, and it is ugly in a very specific way. A normal unprivileged user can tamper with the in-memory copy of a readable file, then use that to turn a setuid program into a path to root. The news this week is that researchers at Theori and Xint disclosed the flaw publicly as CVE-2026-31431 — “Copy Fail” — and released a tiny proof of concept that works across major distributions. The reason people are paying attention is simple: this is not a fragile race-condition trick. It is deterministic, portable, and hard to notice. (cert.europa.eu) ### What actually broke? The bug sits in the Linux kernel’s crypto API, in the `algif_aead` path tied to AF_ALG sockets. A 2017 optimization let page-cache-backed data end up in a writable destination list during a crypto operation. That should not happen. Once it does, an unprivileged process can combine an AF_ALG operation with `(cert.europa.eu) ### Why is page cache the scary part? Because Linux executes from page cache all the time. The file on disk may still look untouched, but the kernel can read the corrupted in-memory copy when it loads a binary. So the attack is less “edit the file” and more “poison the copy the system is about to trust.” That also means ordinary file(cert.europa.eu)o disk. (xint.io) ### How does that turn into root? The straightforward path is to target a setuid binary — something like `/usr/bin/su`. Setuid programs run with elevated privileges, so if an attacker can corrupt the cached bytes the kernel executes, they can redirect control flow and pop a root shell. The researchers say the whole exploit fits in 732 bytes of Python and (xint.io). That is what makes this feel closer to Dirty Pipe than to older, crash-prone Linux privilege escalations. (xint.io) ### Which systems are in scope? Broadly, Linux systems running affected kernels built since 2017. CERT-EU said mainstream distributions in that range are exposed, and listed direct verification on Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16. It also flagged Debian, Arch, Fedora, Rocky, AlmaLinux, Oracle Linux, and embedded Linux as implici(xint.io)cert.europa.eu) ### Is this remote? Not by itself. This is a local privilege escalation, so an attacker first needs code execution as a regular user. But that is the catch — local bugs matter a lot in real environments. A web app RCE that lands as a low-privilege service account, a malicious CI job, a compromised developer shell, or a breakout attem(cert.europa.eu)nel container setups are especially exposed because page cache is shared across the host. (xint.io) ### Are patches out? The upstream fix was committed on April 1, 2026 as `a664bf3d603d`, which reverts the bad 2017 optimization. But rollout is uneven. CERT-EU said on April 30 that no major distribution had yet shipped a fixed kernel package, while distro reporting elsewhere suggested patching had started or was imminent. The practical read is simple — c(xint.io)fast. (cert.europa.eu) ### What should operators do right now? Patch as soon as your distro ships a fixed kernel. Until then, reduce the blast radius. CERT-EU recommends disabling the `algif_aead` module as an interim mitigation where feasible, and prioritizing Kubernetes nodes and CI/CD runners. More broadly, treat local privilege boundaries as softer tha(cert.europa.eu)ecrets that might be reachable from multi-tenant workloads. (cert.europa.eu) ### Why does this story feel bigger than one bug? Because it is a reminder that “local only” is not a comfort phrase anymore. Modern attacks chain bugs together, and a reliable cross-distro root primitive is exactly the kind of second-stage tool that turns a small foothold into a full compromise. Copy Fail matters on its own. But the(cert.europa.eu)dest trust boundaries in Linux. (xint.io)