Find notable cyber news and cases, enriched with sources, timelines, and signals.

Linux kernel Copy Fail local privilege escalation (CVE-2026-31431)

Vulnerability
First reported
Last updated
Happening score
H score 33
2 unique sources, 3 articles

Summary

Hide ▲

Researchers disclosed CVE-2026-31431, a Linux kernel local privilege-escalation flaw called Copy Fail that can let an unprivileged local user gain root. The bug sits in the kernel's algif_aead path and can be triggered by writing four controlled bytes into the page cache of a readable file. It affects essentially all Linux distributions shipped since 2017 and can also break cross-container isolation because the page cache is shared.

Related Happenings

Linux kernel GhostLock root privilege escalation (CVE-2026-43499)

Vulnerability
H score28 First: 08.07.2026 09:16 Last: 08.07.2026 09:16 Sources 1

About this happening: Researchers disclosed **GhostLock (CVE-2026-43499)**, a **Linux kernel** use-after-free that can let a **logged-in local user** gain **full root control** on unpatched systems. Th...

Linux kernel Bad Epoll use-after-free privilege-escalation flaw (CVE-2026-46242)

Vulnerability
H score23 First: 03.07.2026 22:40 Last: 03.07.2026 22:40 Sources 1

About this happening: **Bad Epoll (CVE-2026-46242)** is a newly disclosed **Linux kernel** use-after-free flaw that can let an **unprivileged local user** gain **root** on affected systems. It affects...

Linux kernel DirtyClone privilege escalation (CVE-2026-43503)

Vulnerability
H score29 First: 26.06.2026 14:51 Last: 26.06.2026 14:51 Sources 1

About this happening: **CVE-2026-43503** in the **Linux kernel** gives a local user a path to **root** on affected systems, including **multi-tenant servers**, **CI runners**, **container hosts**, and...

CI/CD pull-request privilege-escalation flaw (Cordyceps)

Vulnerability
H score32 First: 24.06.2026 15:48 Last: 24.06.2026 15:48 Sources 1

About this happening: **Cordyceps** exposed a **CI/CD workflow privilege-escalation flaw** in **pull-request automation** that let **unauthenticated users** hijack privileged workflows and reach open-s...

Linux kernel CIFS subsystem CIFSwitch local privilege escalation privilege-escalation flaw

Vulnerability
H score31 First: 30.05.2026 17:16 Last: 30.05.2026 17:16 Sources 1

About this happening: The **Linux kernel CIFS subsystem** has a disclosed **CIFSwitch** local privilege-escalation flaw that can let an **unprivileged local attacker** reach **root privileges** by abus...

Latest development: 01.06.2026 14:19

Major Linux distributions rolled out fixes for the CIFSwitch Linux kernel CIFS privilege-escalation flaw, and Manizada published PoC code to help defenders validate patches, mitigations, detections, and exposure. Linux Mint, CentOS, Rocky Linux, Kali Linux, AlmaLinux, and SLES SAP systems that ship cifs-utils by default are vulnerable, and some distros are vulnerable only if cifs-utils was manually installed.

Timeline

  1. 08.05.2026 08:12 1 articles · 2mo ago

    Dirty Frag expands Copy Fail Linux kernel LPE analysis

    Technical Analysis Update

    Dirty Frag was described as an unpatched Linux kernel LPE that can give an unprivileged local user root on most Linux distributions by chaining xfrm-ESP Page-Cache Write and RxRPC Page-Cache Write, while the related Copy Fail issue was reported to Linux kernel maintainers on April 30, 2026 and has come under active exploitation in the wild. CloudLinx said the flaw sits in the ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path reachable via the XFRM user netlink interface, and the researcher said Dirty Frag can be triggered regardless of whether the algif_aead module is available; a working PoC was also released.

    Show sources
  2. 30.04.2026 16:54 1 articles · 2mo ago

    Theori reports Copy Fail to kernel security team

    Initial Disclosure

    Theori discovered CVE-2026-31431, the Copy Fail Linux kernel privilege-escalation bug, using its Xint Code platform and reported the finding to the Linux kernel security team on March 23, 2026.

    Show sources
  3. 30.04.2026 16:54 1 articles · 2mo ago

    Upstream Linux kernel fix lands for Copy Fail

    Mitigation Patch Update

    Linux kernel maintainers fixed CVE-2026-31431 by reverting the in-place crypto behavior introduced in 2017, and the fix was made available in releases 6.18.22, 6.19.12, and 7.0 on April 1, 2026.

    Show sources
  4. 30.04.2026 12:24 2 articles · 2mo ago

    CVE-2026-31431 Copy Fail disclosed

    Initial Disclosure

    Cybersecurity researchers at Xint.io and Theori disclosed CVE-2026-31431, a high-severity Linux local privilege escalation flaw called Copy Fail in the Linux kernel's algif_aead module. An unprivileged local user can write four controlled bytes into the page cache of any readable file, use a 732-byte Python exploit to edit a setuid binary such as /usr/bin/su, and gain root on Linux distributions shipped since 2017; the flaw is not remotely exploitable in isolation and can also affect cross-container isolation because the page cache is shared.

    Show sources
  5. 30.04.2026 12:24 2 articles · 2mo ago

    CVE-2026-31431 Copy Fail disclosed

    Initial Disclosure

    Cybersecurity researchers at Xint.io and Theori disclosed CVE-2026-31431, a high-severity Linux local privilege escalation flaw called Copy Fail in the Linux kernel's algif_aead module. An unprivileged local user can write four controlled bytes into the page cache of any readable file, use a 732-byte Python exploit to edit a setuid binary such as /usr/bin/su, and gain root on Linux distributions shipped since 2017; the flaw is not remotely exploitable in isolation and can also affect cross-container isolation because the page cache is shared.

    Show sources