CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Linux Kernel Local Privilege Escalation via Copy Fail (CVE-2026-31431)

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A local privilege escalation vulnerability in the Linux kernel, tracked as CVE-2026-31431 and dubbed "Copy Fail," enables unprivileged local attackers to gain root access on all major Linux distributions since 2017. Exploitation leverages a logic bug in the kernel's cryptographic subsystem, specifically within the authencesn template, allowing a 4-byte write to the page cache of any readable file via the AF_ALG socket interface and splice() system call. This controlled write can modify setuid-root binaries, altering their execution to grant root privileges. The flaw was introduced in 2017 through an in-place optimization in the crypto path, which reused buffers instead of separating input and output. A 732-byte Python proof-of-concept exploit achieves 100% reliability across vulnerable versions, impacting kernel releases from 4.14 through 7.0. The vulnerability has been patched upstream by reverting the problematic optimization, but official advisories remain inconsistent across distributions.

Timeline

  1. 30.04.2026 16:54 1 articles · 3h ago

    Linux Kernel Copy Fail (CVE-2026-31431) Exploit Publicly Released

    Public disclosure of CVE-2026-31431 occurred on April 29, 2026, alongside a 732-byte Python proof-of-concept exploit demonstrating 100% reliable root privilege escalation on all major Linux distributions since 2017. The vulnerability is rooted in a logic bug within the authencesn cryptographic template of the Linux kernel, enabling a 4-byte write to the page cache of any readable file via the AF_ALG socket interface and splice() system call. This controlled write can modify setuid-root binaries, leading to arbitrary code execution with root privileges. The exploit targets systems running kernels from 2017 to present, bypassing traditional mitigations due to its broad applicability. The upstream patch, released on April 1st, 2026, reverts the problematic in-place crypto optimization introduced in kernel version 4.14.

    Show sources
    Open in new tab

Information Snippets

  • CVE-2026-31431 is a local privilege escalation vulnerability in the Linux kernel, discovered by Theori using its AI-driven pentesting platform Xint Code, enabling root access for unprivileged users on systems running vulnerable kernels since 2017.

    First reported: 30.04.2026 16:54
    1 source, 1 article
    Show sources

  • The flaw stems from a logic bug in the kernel's authencesn cryptographic template, introduced in 2017 as part of an optimization that reused buffers in the crypto path, allowing a 4-byte write to the page cache of any readable file via AF_ALG and splice().

    First reported: 30.04.2026 16:54
    1 source, 1 article
    Show sources

  • A 732-byte Python exploit, described as 100% reliable, has been publicly released, demonstrating successful privilege escalation on Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, with coverage across all Linux distributions since 2017.

    First reported: 30.04.2026 16:54
    1 source, 1 article
    Show sources

  • The upstream patch for CVE-2026-31431, issued on April 1st, reverts the problematic in-place crypto behavior and is included in kernel versions 6.18.22, 6.19.12, and 7.0.

    First reported: 30.04.2026 16:54
    1 source, 1 article
    Show sources

  • Mitigation recommendations include disabling the AF_ALG socket interface via disabling the algif_aead module (e.g., using /etc/modprobe.d/disable-algif.conf or rmmod algif_aead) as an interim measure for unpatched systems.

    First reported: 30.04.2026 16:54
    1 source, 1 article
    Show sources