Fixing CVE-2026-31431 (“Copy Fail”) Across Linux Distributions

Overview

CVE-2026-31431, nicknamed Copy Fail, is a local privilege escalation vulnerability in the Linux kernel, published on 29 April 2026 alongside a public proof-of-concept exploit. It allows an unprivileged local user to escalate to root.

The flaw lives in the kernel’s AEAD crypto implementation (algif_aead). Improper handling of scatter-gather lists permits a write beyond intended bounds. By chaining the bug with AF_ALG sockets and splice(), an attacker can overwrite 4 bytes in the page cache of any readable file — including setuid binaries. Because the page cache is the in-memory version of an executable, modifying it changes the binary at execution time without ever touching disk. This lets an attacker inject code into privileged binaries such as su and gain root.

Affected platforms: Essentially every mainstream Linux distribution shipping a kernel built between 2017 and the patch release, including container environments.

---

Step 1: Determine Whether You Are Exploitable

The exploit path depends on how algif_aead was compiled into your kernel. Check the running kernel’s config:

grep CONFIG_CRYPTO_USER_API_AEAD /boot/config-$(uname -r)

• =y → algif_aead is built into the kernel. Module blacklisting will not work; use the eBPF/seccomp mitigation or patch.
• =m → algif_aead is a loadable module. You can use the OS-level module-blacklist mitigation.

You can also check whether the module is currently loaded:

grep -q '^algif_aead' /proc/modules && echo "loaded" || echo "not loaded"

---

Step 2: Remediate by Patching the Kernel (Preferred)

Patching is the only complete fix. Prioritize hosts in this order:

Patch first:

1. Build & CI/CD infrastructure and self-hosted runners
2. Cloud/SaaS platforms that accept user input or uploads
3. Kubernetes, container clusters, and hosting infrastructure
4. Multi-tenant Linux hosts, including jump/bastion hosts
5. All externally accessible Linux hosts without an intervening device

Patch next:

6. Every remaining Linux host

Distribution-Specific Patch Commands

Red Hat Enterprise Linux / Rocky Linux / AlmaLinux / CentOS Stream (8 & 9)

sudo dnf clean all
sudo dnf update kernel
sudo reboot

Verify after reboot:

See also: Mastering the Linux Command Line — Your Complete Free Training Guide

uname -r
rpm -q kernel

Fedora

sudo dnf upgrade --refresh kernel
sudo reboot

Ubuntu

sudo apt update
sudo apt install --only-upgrade linux-image-generic linux-headers-generic
sudo reboot

For unattended hosts, ensure unattended-upgrades is enabled so security kernels apply automatically.

Debian

sudo apt update
sudo apt full-upgrade
sudo reboot

Track fixed versions in the Debian Security Tracker for your release (bookworm, bullseye, etc.).

Amazon Linux 2 / 2023

sudo yum update kernel    # AL2
sudo dnf update kernel    # AL2023
sudo reboot

SUSE Linux Enterprise / openSUSE

sudo zypper refresh
sudo zypper patch
sudo reboot

Or apply live patches without reboot where supported:

sudo zypper patch --category security

Arch Linux

sudo pacman -Syu linux
sudo reboot

After patching, confirm you are running a kernel dated at or after your distribution’s fix and reboot — a patched package on disk does not protect a still-running vulnerable kernel.

---

Step 3: Temporary Mitigations (When You Cannot Patch Yet)

Use these only as a stopgap. Patch as soon as fixed kernels are available.

Option A — OS Mitigation (Module Blacklist)

Only works when algif_aead is a module (=m). It will not work on distributions that compile it in (=y), which includes the pre-compiled kernels of RHEL 8/9, AlmaLinux 8/9, Rocky Linux 8/9, and CentOS Stream 8/9.

Manual steps:

echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif.conf
sudo rmmod algif_aead

Ansible:

- name: Disable algif_aead kernel module to mitigate CVE-2026-31431
  ansible.builtin.copy:
    content: "install algif_aead /bin/false"
    dest: /etc/modprobe.d/disable-algif.conf
    owner: root
    group: root
    mode: '0644'

- name: Unload algif_aead module if loaded
  community.general.modprobe:
    name: algif_aead
    state: absent

Puppet:

file { '/etc/modprobe.d/disable-algif.conf':
  ensure  => file,
  content => "install algif_aead /bin/false\n",
}

Chef:

file '/etc/modprobe.d/disable-algif.conf' do
  content "install algif_aead /bin/false"
end

kernel_module 'algif_aead' do
  action :uninstall
  only_if '/usr/bin/egrep -q ^algif_aead /proc/modules'
end

Option B — eBPF Mitigation (Pre-compiled Kernels & Kubernetes)

For environments where blacklisting is impractical — including built-in kernels and Kubernetes nodes — an eBPF agent such as Tetragon can block AF_ALG socket creation. The Override action depends on node kernel and eBPF support, and on the agent being permitted to attach and enforce on every node. Verify the agent is installed and healthy on all relevant nodes before relying on it.

Example Tetragon TracingPolicy:

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: copyfail-mitigate
spec:
  kprobes:
    - call: 'sys_socket'
      syscall: true
      args:
        - index: 0
          type: 'int'
          label: 'family'
      tags:
        - 'CVE-2026-31431'
        - 'copyfail'
      message: 'AF_ALG socket creation blocked'
      selectors:
        - matchArgs:
            - index: 0
              operator: 'Equal'
              values:
                - '38'          # AF_ALG
          matchActions:
            - action: Override
              argError: -1
            - action: Post
              kernelStackTrace: true

After applying, confirm the policy is loaded and that AF_ALG socket attempts are denied or produce the expected events on each protected node.

Option C — Container & Multi-Tenant Hardening

• seccomp: In container environments, block AF_ALG socket creation via a seccomp profile — highly effective at the container boundary.
• Sandboxing: For shared environments (CI/CD, multi-tenant systems), restrict execution of untrusted code with sandboxing or stronger isolation.

---

Step 4: Verify and Detect

Confirm the running kernel is patched:

uname -r

Compare against your distribution’s fixed version.

Confirm a mitigation is active (module case):

grep -q '^algif_aead' /proc/modules && echo "STILL LOADED — mitigation failed" || echo "module not loaded"
cat /etc/modprobe.d/disable-algif.conf

Detect exploitation attempts: Watch for unexpected AF_ALG (family=38) socket creation, unusual splice() activity against setuid binaries, and process anomalies around su and similar privileged binaries. eBPF tooling can log these events for alerting.

---

Important Caveat

Exploitability is environment-dependent and the situation continues to evolve. A correctly applied mitigation that disables the vulnerable module in your environment should hold, but patching to a fixed kernel is the only durable remediation. Treat workarounds as temporary and replace them with updated kernels as soon as they are available for your distribution.

---

References

• CVE-2026-31431 — NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31431
• CVE-2026-31431 — CVE Record: https://www.cve.org/CVERecord?id=CVE-2026-31431
• CERT-EU advisory 2026-005 (“Copy Fail”): https://cert.europa.eu/publications/security-advisories/2026-005/
• Red Hat: https://access.redhat.com/security/cve/cve-2026-31431
• AlmaLinux: https://almalinux.org/blog/2026-05-01-cve-2026-31431-copy-fail/
• Amazon Linux: https://explore.alas.aws.amazon.com/CVE-2026-31431.html
• Ubuntu: https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available
• Debian: https://security-tracker.debian.org/tracker/CVE-2026-31431
• GitHub Advisory: https://github.com/advisories/GHSA-2274-3hgr-wxv6

---