VMware confirms CVE-2026-31431 Linux root-escape affects ESXi and Photon OS

A Linux privilege-escalation bug called “Copy Fail” has been moving fast because the exploit is simple, public, and unusually reliable. But the VMware angle turned out to be narrower than early chatter suggested. Broadcom’s May 8 impact note says CVE-2026-31431 does not affect VMware ESXi, and it also says Photon OS is not affected because it does not use the vulnerable kernel module. ### What is Copy Fail? Copy Fail is CVE-2026-31431 — a Linux kernel local privilege-escalation flaw in the `algif_aead` path of the AF_ALG crypto interface. In plain English, a normal unprivileged user can corrupt the page cache for a readable file and turn that into root access. The bug traces back to an optimization introduced in 2017, and the upstream fix reverts that behavior. ### Why did people care so much? (knowledge.broadcom.com) Because this is not one of those fiddly Linux bugs that needs a race condition, distro-specific offsets, or a pile of setup. The public disclosure site says the same 732-byte script works across major Linux distributions shipped since 2017. Microsoft also flagged the flaw as broadly relevant to cloud Linux workloads and Kubernetes environments, where local privilege escalation can become container escape or lateral movement. (cert.europa.eu) ### So what changed for VMware? The important update is that VMware by Broadcom published an impact evaluation on May 8 and marked ESXi as not vulnerable. The reason is simple — ESXi is not based on Linux. The same note says Photon OS is not affected either, because it does not use the `algif_aead` kernel module that Copy Fail abuses. Broadcom extended that “not affected” status to vCenter Server, vSphere Kubernetes Service Supervisor, SDDC Manager, and several Aria products that rely on Photon OS appliances. (copy.fail) ### Why was there confusion? Because “Linux root bug” plus “VMware stack” sounds like an obvious collision. Photon OS is VMware’s Linux distribution, and a lot of VMware infrastructure products sit on top of it. If you stopped at that layer of detail, it was easy to assume broad impact. But this bug is not “all Linux everywhere.” It depends on a specific kernel module and code path. VMware’s position is basically that those paths are absent in the products people were worried about. (knowledge.broadcom.com) ### Is the bug still serious? Yes — just not for ESXi in the way some people thought. CISA added CVE-2026-31431 to the Known Exploited Vulnerabilities catalog on May 1, which means there is evidence of active exploitation. Microsoft said it was seeing early testing activity and warned that broader attacker use was likely as patching raced against public PoC availability. ### What did big operators do? (knowledge.broadcom.com) Cloudflare published its response on May 7. The company said it assessed the issue as soon as it was disclosed, validated detections, and found no impact to its environment, no customer data risk, and no service disruption. Cloudflare also said its kernel release process usually means fixes are already integrated before a CVE becomes public. ### Who actually needs to move now? (cisa.gov) Linux operators running shared systems. The highest-risk cases are multi-tenant hosts, Kubernetes nodes, CI runners, and anything that executes untrusted code from regular users or containers. CERT-EU explicitly called out Kubernetes nodes and CI/CD runners for priority mitigation, and Microsoft highlighted cloud and container environments for the same reason. ### Bottom line? (blog.cloudflare.com) The story is not “VMware hypervisors are escaping.” The story is that a nasty Linux root bug sparked understandable VMware concern, and Broadcom has now said ESXi and Photon OS are not in scope. If you run VMware, verify your exact product guidance. If you run Linux fleets, especially shared ones, this is still a patch-now vulnerability. (knowledge.broadcom.com) (cert.europa.eu)