Linux kernel Copy Fail local privilege escalation (CVE-2026-31431)
Vulnerability
Summary
Hide ▲
Show ▼
Researchers disclosed CVE-2026-31431, a Linux kernel local privilege-escalation flaw called Copy Fail that can let an unprivileged local user gain root. The bug sits in the kernel's algif_aead path and can be triggered by writing four controlled bytes into the page cache of a readable file. It affects essentially all Linux distributions shipped since 2017 and can also break cross-container isolation because the page cache is shared.
Related Happenings
Linux kernel GhostLock root privilege escalation (CVE-2026-43499)
Vulnerability
H score28
First: 08.07.2026 09:16
Last: 08.07.2026 09:16
Sources 1
About this happening:
Researchers disclosed **GhostLock (CVE-2026-43499)**, a **Linux kernel** use-after-free that can let a **logged-in local user** gain **full root control** on unpatched systems. Th...
Linux kernel GhostLock root privilege escalation (CVE-2026-43499)
VulnerabilityAbout this happening: Researchers disclosed **GhostLock (CVE-2026-43499)**, a **Linux kernel** use-after-free that can let a **logged-in local user** gain **full root control** on unpatched systems. Th...
Linux kernel Bad Epoll use-after-free privilege-escalation flaw (CVE-2026-46242)
Vulnerability
H score23
First: 03.07.2026 22:40
Last: 03.07.2026 22:40
Sources 1
About this happening:
**Bad Epoll (CVE-2026-46242)** is a newly disclosed **Linux kernel** use-after-free flaw that can let an **unprivileged local user** gain **root** on affected systems. It affects...
Linux kernel Bad Epoll use-after-free privilege-escalation flaw (CVE-2026-46242)
VulnerabilityAbout this happening: **Bad Epoll (CVE-2026-46242)** is a newly disclosed **Linux kernel** use-after-free flaw that can let an **unprivileged local user** gain **root** on affected systems. It affects...
Linux kernel DirtyClone privilege escalation (CVE-2026-43503)
Vulnerability
H score29
First: 26.06.2026 14:51
Last: 26.06.2026 14:51
Sources 1
About this happening:
**CVE-2026-43503** in the **Linux kernel** gives a local user a path to **root** on affected systems, including **multi-tenant servers**, **CI runners**, **container hosts**, and...
Linux kernel DirtyClone privilege escalation (CVE-2026-43503)
VulnerabilityAbout this happening: **CVE-2026-43503** in the **Linux kernel** gives a local user a path to **root** on affected systems, including **multi-tenant servers**, **CI runners**, **container hosts**, and...
CI/CD pull-request privilege-escalation flaw (Cordyceps)
Vulnerability
H score32
First: 24.06.2026 15:48
Last: 24.06.2026 15:48
Sources 1
About this happening:
**Cordyceps** exposed a **CI/CD workflow privilege-escalation flaw** in **pull-request automation** that let **unauthenticated users** hijack privileged workflows and reach open-s...
CI/CD pull-request privilege-escalation flaw (Cordyceps)
VulnerabilityAbout this happening: **Cordyceps** exposed a **CI/CD workflow privilege-escalation flaw** in **pull-request automation** that let **unauthenticated users** hijack privileged workflows and reach open-s...
Linux kernel CIFS subsystem CIFSwitch local privilege escalation privilege-escalation flaw
Vulnerability
H score31
First: 30.05.2026 17:16
Last: 30.05.2026 17:16
Sources 1
About this happening:
The **Linux kernel CIFS subsystem** has a disclosed **CIFSwitch** local privilege-escalation flaw that can let an **unprivileged local attacker** reach **root privileges** by abus...
Linux kernel CIFS subsystem CIFSwitch local privilege escalation privilege-escalation flaw
VulnerabilityAbout this happening: The **Linux kernel CIFS subsystem** has a disclosed **CIFSwitch** local privilege-escalation flaw that can let an **unprivileged local attacker** reach **root privileges** by abus...
Latest development: 01.06.2026 14:19
Major Linux distributions rolled out fixes for the CIFSwitch Linux kernel CIFS privilege-escalation flaw, and Manizada published PoC code to help defenders validate patches, mitigations, detections, and exposure. Linux Mint, CentOS, Rocky Linux, Kali Linux, AlmaLinux, and SLES SAP systems that ship cifs-utils by default are vulnerable, and some distros are vulnerable only if cifs-utils was manually installed.
Timeline
-
08.05.2026 08:12 1 articles · 2mo ago
Dirty Frag expands Copy Fail Linux kernel LPE analysis
Technical Analysis UpdateDirty Frag was described as an unpatched Linux kernel LPE that can give an unprivileged local user root on most Linux distributions by chaining xfrm-ESP Page-Cache Write and RxRPC Page-Cache Write, while the related Copy Fail issue was reported to Linux kernel maintainers on April 30, 2026 and has come under active exploitation in the wild. CloudLinx said the flaw sits in the ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path reachable via the XFRM user netlink interface, and the researcher said Dirty Frag can be triggered regardless of whether the algif_aead module is available; a working PoC was also released.
Show sources
- Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions — thehackernews.com — 08.05.2026 08:12
-
30.04.2026 16:54 1 articles · 2mo ago
Theori reports Copy Fail to kernel security team
Initial DisclosureTheori discovered CVE-2026-31431, the Copy Fail Linux kernel privilege-escalation bug, using its Xint Code platform and reported the finding to the Linux kernel security team on March 23, 2026.
Show sources
- New Linux ‘Copy Fail’ flaw gives hackers root on major distros — www.bleepingcomputer.com — 30.04.2026 16:54
-
30.04.2026 16:54 1 articles · 2mo ago
Upstream Linux kernel fix lands for Copy Fail
Mitigation Patch UpdateLinux kernel maintainers fixed CVE-2026-31431 by reverting the in-place crypto behavior introduced in 2017, and the fix was made available in releases 6.18.22, 6.19.12, and 7.0 on April 1, 2026.
Show sources
- New Linux ‘Copy Fail’ flaw gives hackers root on major distros — www.bleepingcomputer.com — 30.04.2026 16:54
-
30.04.2026 12:24 2 articles · 2mo ago
CVE-2026-31431 Copy Fail disclosed
Initial DisclosureCybersecurity researchers at Xint.io and Theori disclosed CVE-2026-31431, a high-severity Linux local privilege escalation flaw called Copy Fail in the Linux kernel's algif_aead module. An unprivileged local user can write four controlled bytes into the page cache of any readable file, use a 732-byte Python exploit to edit a setuid binary such as /usr/bin/su, and gain root on Linux distributions shipped since 2017; the flaw is not remotely exploitable in isolation and can also affect cross-container isolation because the page cache is shared.
Show sources
- New Linux 'Copy Fail' Vulnerability Enables Root Access on Major Distributions — thehackernews.com — 30.04.2026 12:24
- New Linux ‘Copy Fail’ flaw gives hackers root on major distros — www.bleepingcomputer.com — 30.04.2026 16:54
-
30.04.2026 12:24 2 articles · 2mo ago
CVE-2026-31431 Copy Fail disclosed
Initial DisclosureCybersecurity researchers at Xint.io and Theori disclosed CVE-2026-31431, a high-severity Linux local privilege escalation flaw called Copy Fail in the Linux kernel's algif_aead module. An unprivileged local user can write four controlled bytes into the page cache of any readable file, use a 732-byte Python exploit to edit a setuid binary such as /usr/bin/su, and gain root on Linux distributions shipped since 2017; the flaw is not remotely exploitable in isolation and can also affect cross-container isolation because the page cache is shared.
Show sources
- New Linux 'Copy Fail' Vulnerability Enables Root Access on Major Distributions — thehackernews.com — 30.04.2026 12:24
- New Linux ‘Copy Fail’ flaw gives hackers root on major distros — www.bleepingcomputer.com — 30.04.2026 16:54