Microsoft publishes deep-dive on 'Copy Fail' (CVE-2026-31431), detailing root cause and mitigations

Linux privilege-escalation bugs are bad on their own. This one is worse because it breaks a trust boundary a lot of teams quietly rely on — that a readable file on disk stays meaningfully the same when the kernel executes it. Microsoft’s May 1 write-up on CVE-2026-31431, nicknamed “Copy Fail,” matters because it explains how a local user can corrupt the kernel’s cached copy of a privileged binary and pop root without changing the file on disk. That makes the blast radius much bigger in cloud fleets, containers, bastions, and shared build systems. (microsoft.com) ### What is Copy Fail? Copy Fail is a Linux local privilege-escalation bug in `algif_aead`, part of the kernel crypto interface exposed through AF_ALG sockets. The practical effect is simple: an unprivileged user who can run code on a box can abuse the bug to get root. The CVE carries a 7.8 severity score, and public exploit code is already out there. (microsoft.com) ### Where’s the actual mistake? The root cause sits in an in-place optimization added in 2017. That change let `algif_aead` operate with source and destination data overlapping in a way that turns out to be unsafe for this path. The upstream fix basically backs that idea out — the kernel patch literally reverts `algif_aead` to operating out-of-place because the added complexity was not buying anything useful. (nvd.nist.gov) ### How does that become root? The exploit chains AF_ALG with `splice`. That combination lets an attacker steer a small, controlled write into the page cache — Linux’s in-memory copy of file contents. The weird part is the whole trick targets memory, not the underlying file on disk. So if the cached pages for a setuid binary get corrupted, the runtime view can be hos(nvd.nist.gov)re “copy fail” idea. (microsoft.com) ### Why is page cache the scary part? Because page cache is what processes actually read from when they execute files. Think of it like swapping the script inside the projector, not the film reel in storage. Security checks or file integrity tooling aimed at the disk copy can miss(microsoft.com)t what “the file” even is at runtime. This analogy is an inference from the exploit mechanics and the kernel behavior Microsoft and others describe. (microsoft.com) ### Which systems are exposed? Microsoft says major Linux distributions are affected, including Red Hat, SUSE, Ubuntu, and Amazon Linux, and frames the impact as broad across cloud Linux workloads and Kubernetes clusters. CERT-EU says the vulnerable range covers mainstream distrib(microsoft.com), you should assume exposure until you verify kernel versions or vendor advisories. (microsoft.com) ### Why are containers such a big deal here? Because “local” in cloud land often means “code running in a pod.” Microsoft explicitly calls out container breakout and multi-tenant compromise as plausible outcomes after successful exploitation. AKS also warned that even non-root pods can trigger auto-loading of the vulnerable module and then escalate to root on the node, unless mitigations are in place. (microsoft.com) ### What should defenders do right now? Best fix: install patched kernels as vendors ship them. If that is not available yet, the common interim mitigation is to disable the `algif_aead` module so it cannot be auto-loaded. Microsoft says defenders should also hunt for suspicious AF_ALG usage and signs of exploitation, while CISA’s KEV listing is the big signal that this has moved from interesting bug to priority patch item. (microsoft.com) ### Bottom line Microsoft’s post is useful because it turns Copy Fail from a scary headline into an operational problem statement. Basically — if untrusted code can run anywhere on your Linux estate, this bug can turn that foothold into root, and in cloud environments that can quickly become everyone’s problem. (microsoft.com)