On April 29, 2026, a high-severity local privilege escalation (LPE) vulnerability known as "Copy Fail" (CVE-2026-31431) was disclosed.
The flaw resides in the kernel's cryptographic subsystem (crypto/algif_aead.c). By chaining an AF_ALG socket operation with the splice() system call, an unprivileged local user can force a zero-copy write directly into the kernel's page cache, allowing them to overwrite setuid-root binaries in memory and gain instant root access.
Due to the kernel configuration (CONFIG_CRYPTO_USER_API_AEAD=y), standard modprobe mitigation strategies do not work on this build.
The source-level kernel patch can be found here.
On April 29, 2026, a high-severity local privilege escalation (LPE) vulnerability known as "Copy Fail" (CVE-2026-31431) was disclosed.
The flaw resides in the kernel's cryptographic subsystem (crypto/algif_aead.c). By chaining an AF_ALG socket operation with the splice() system call, an unprivileged local user can force a zero-copy write directly into the kernel's page cache, allowing them to overwrite setuid-root binaries in memory and gain instant root access.
Due to the kernel configuration (CONFIG_CRYPTO_USER_API_AEAD=y), standard modprobe mitigation strategies do not work on this build.
The source-level kernel patch can be found here.