CVE-2026-31431: “Copy Fail” Linux kernel flaw lets local users gain root in seconds

CVE-2026-31431, also known as "Copy Fail," is a significant vulnerability discovered in the Linux kernel's algif_aead userspace crypto interface, allowing unprivileged local users to gain root access quickly by exploiting the page cache of setuid binaries. This flaw, rated with a CVSS score of 7.8, was introduced in 2017 and affects kernels from version 4.14 through 7.0-rc, with specific fixes available in later versions. The vulnerability arises from a flaw in AEAD operations that permits unauthorized writing into the page cache, thereby corrupting binary data. Researchers from Theori demonstrated a proof-of-concept that exploits this flaw, particularly affecting distributions like Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16. Sysdig and Falco have developed detection rules to identify suspicious activities related to this exploit, with recommendations to update affected systems to patched kernel versions and restrict AF_ALG socket creation to mitigate risks. The vulnerability is likened to previous exploits like Dirty Pipe, emphasizing the need for prompt kernel updates and vigilant runtime monitoring to prevent local privilege escalation.