Linux kernel Copy Fail local privilege escalation (CVE-2026-31431)
Vulnerability
Summary
Hide ▲
Show ▼
Researchers disclosed CVE-2026-31431, a Linux kernel local privilege-escalation flaw called Copy Fail that can let an unprivileged local user gain root. The bug sits in the kernel's algif_aead path and can be triggered by writing four controlled bytes into the page cache of a readable file. It affects essentially all Linux distributions shipped since 2017 and can also break cross-container isolation because the page cache is shared.
Related Happenings
Linux kernel RDS PinTheft local privilege escalation flaw (public PoC)
Vulnerability
First: 20.05.2026 13:52
Last: 20.05.2026 13:52
Sources 1
About this happening:
**PinTheft** now has a **public PoC exploit**, turning a recently patched **Linux kernel RDS** flaw into a practical **local privilege escalation** risk for **Arch Linux** systems...
Linux kernel RDS PinTheft local privilege escalation flaw (public PoC)
VulnerabilityAbout this happening: **PinTheft** now has a **public PoC exploit**, turning a recently patched **Linux kernel RDS** flaw into a practical **local privilege escalation** risk for **Arch Linux** systems...
Linux kernel rxgk local DirtyDecrypt/DirtyCBC privilege-escalation flaw (CVE-2026-31635)
Vulnerability
First: 18.05.2026 10:18
Last: 18.05.2026 10:18
Sources 1
About this happening:
A **proof-of-concept exploit** has been released for **DirtyDecrypt/DirtyCBC** (**CVE-2026-31635**), a **recently patched Linux kernel** flaw in **rxgk_decrypt_skb()** that can en...
Linux kernel rxgk local DirtyDecrypt/DirtyCBC privilege-escalation flaw (CVE-2026-31635)
VulnerabilityAbout this happening: A **proof-of-concept exploit** has been released for **DirtyDecrypt/DirtyCBC** (**CVE-2026-31635**), a **recently patched Linux kernel** flaw in **rxgk_decrypt_skb()** that can en...
Linux kernel XFRM ESP-in-TCP local privilege escalation (CVE-2026-46300)
Vulnerability
First: 14.05.2026 10:06
Last: 14.05.2026 10:06
Sources 1
About this happening:
**Fragnesia** adds a fresh **Linux kernel** local privilege-escalation path, putting **unprivileged local attackers** on a route to **root access** across major distributions. The...
Linux kernel XFRM ESP-in-TCP local privilege escalation (CVE-2026-46300)
VulnerabilityAbout this happening: **Fragnesia** adds a fresh **Linux kernel** local privilege-escalation path, putting **unprivileged local attackers** on a route to **root access** across major distributions. The...
Latest development: 14.05.2026 16:00
Cloud security firm Wiz identified Fragnesia (CVE-2026-46300) in the Dirty Frag family, a Linux local privilege escalation that lets unprivileged local users gain root by corrupting the kernel page cache of read-only files. William Bowling of Zellic and the V12 team were credited with the discovery, and a working proof-of-concept exploit was published on May 13, 2026.
Berz0k advertises zero-day Linux LPE exploit for sale
Threat Actor Meta
First: 14.05.2026 10:06
Last: 14.05.2026 10:06
Sources 1
About this happening:
**berz0k** is advertising a **zero-day Linux LPE exploit** for **$170,000** on **cybercrime forums**, signaling active monetization of root-level access in the exploit market. The...
Berz0k advertises zero-day Linux LPE exploit for sale
Threat Actor MetaAbout this happening: **berz0k** is advertising a **zero-day Linux LPE exploit** for **$170,000** on **cybercrime forums**, signaling active monetization of root-level access in the exploit market. The...
Linux kernel Dirty Frag and Copy Fail 2 privilege escalation (multiple vulnerabilities)
Vulnerability
First: 11.05.2026 11:15
Last: 11.05.2026 11:15
Sources 1
About this happening:
A newly disclosed **Linux kernel** local privilege-escalation flaw, **Dirty Frag and Copy Fail 2**, can let an unprivileged user reach **root** on affected systems. The bug chains...
Linux kernel Dirty Frag and Copy Fail 2 privilege escalation (multiple vulnerabilities)
VulnerabilityAbout this happening: A newly disclosed **Linux kernel** local privilege-escalation flaw, **Dirty Frag and Copy Fail 2**, can let an unprivileged user reach **root** on affected systems. The bug chains...
Timeline
-
08.05.2026 08:12 1 articles · 19d ago
Dirty Frag expands Copy Fail Linux kernel LPE analysis
Technical Analysis UpdateDirty Frag was described as an unpatched Linux kernel LPE that can give an unprivileged local user root on most Linux distributions by chaining xfrm-ESP Page-Cache Write and RxRPC Page-Cache Write, while the related Copy Fail issue was reported to Linux kernel maintainers on April 30, 2026 and has come under active exploitation in the wild. CloudLinx said the flaw sits in the ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path reachable via the XFRM user netlink interface, and the researcher said Dirty Frag can be triggered regardless of whether the algif_aead module is available; a working PoC was also released.
Show sources
- Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions — thehackernews.com — 08.05.2026 08:12
-
30.04.2026 16:54 1 articles · 27d ago
Theori reports Copy Fail to kernel security team
Initial DisclosureTheori discovered CVE-2026-31431, the Copy Fail Linux kernel privilege-escalation bug, using its Xint Code platform and reported the finding to the Linux kernel security team on March 23, 2026.
Show sources
- New Linux ‘Copy Fail’ flaw gives hackers root on major distros — www.bleepingcomputer.com — 30.04.2026 16:54
-
30.04.2026 16:54 1 articles · 27d ago
Upstream Linux kernel fix lands for Copy Fail
Mitigation Patch UpdateLinux kernel maintainers fixed CVE-2026-31431 by reverting the in-place crypto behavior introduced in 2017, and the fix was made available in releases 6.18.22, 6.19.12, and 7.0 on April 1, 2026.
Show sources
- New Linux ‘Copy Fail’ flaw gives hackers root on major distros — www.bleepingcomputer.com — 30.04.2026 16:54
-
30.04.2026 12:24 2 articles · 27d ago
CVE-2026-31431 Copy Fail disclosed
Initial DisclosureCybersecurity researchers at Xint.io and Theori disclosed CVE-2026-31431, a high-severity Linux local privilege escalation flaw called Copy Fail in the Linux kernel's algif_aead module. An unprivileged local user can write four controlled bytes into the page cache of any readable file, use a 732-byte Python exploit to edit a setuid binary such as /usr/bin/su, and gain root on Linux distributions shipped since 2017; the flaw is not remotely exploitable in isolation and can also affect cross-container isolation because the page cache is shared.
Show sources
- New Linux 'Copy Fail' Vulnerability Enables Root Access on Major Distributions — thehackernews.com — 30.04.2026 12:24
- New Linux ‘Copy Fail’ flaw gives hackers root on major distros — www.bleepingcomputer.com — 30.04.2026 16:54
-
30.04.2026 12:24 2 articles · 27d ago
CVE-2026-31431 Copy Fail disclosed
Initial DisclosureCybersecurity researchers at Xint.io and Theori disclosed CVE-2026-31431, a high-severity Linux local privilege escalation flaw called Copy Fail in the Linux kernel's algif_aead module. An unprivileged local user can write four controlled bytes into the page cache of any readable file, use a 732-byte Python exploit to edit a setuid binary such as /usr/bin/su, and gain root on Linux distributions shipped since 2017; the flaw is not remotely exploitable in isolation and can also affect cross-container isolation because the page cache is shared.
Show sources
- New Linux 'Copy Fail' Vulnerability Enables Root Access on Major Distributions — thehackernews.com — 30.04.2026 12:24
- New Linux ‘Copy Fail’ flaw gives hackers root on major distros — www.bleepingcomputer.com — 30.04.2026 16:54