An unprivileged user who can open a socket should not be able to rewrite /usr/bin/su and end up as root. That is exactly what CVE-2026-31431, named Copy Fail, allows. It is a local privilege escalation flaw in the Linux kernel’s algif_aead module, reported to the kernel security team on 23 March 2026.
What it is and where it comes from
algif_aead is part of the AF_ALG crypto API, the interface that exposes kernel algorithms to userspace programs through sockets. The bug traces back to an optimization added in 2017. To avoid copying data, the code allowed page-cache pages to be placed directly into a writable destination scatterlist. That shortcut, meant to save a copy and gain speed, opened the door for a process to write over pages that actually back system files.
The formal classification is CWE-669 (incorrect resource transfer between spheres), with a CVSS score of 7.8. It is not remote code execution, but “any local user” combined with “direct escalation to root” makes it serious.
How it is exploited
By chaining AF_ALG socket operations with splice(), an attacker gets a controlled 4-byte write into any readable file backed by the page cache. Four bytes sounds like little, but placed well they are enough to corrupt a setuid binary such as su and open the path to a root shell. The same technique works for container escape: on Kubernetes nodes and CI/CD runners that share a kernel with the host, the flaw lets an attacker break out of the isolation.
The mainline patch (commit a664bf3d603d, 1 April 2026) reverts that 2017 optimization. After disclosure, the vulnerability was added to CISA’s KEV catalog, with a public proof of concept available.
Who is affected
Almost any distribution running a kernel built between 2017 and the patch. Versions verified as vulnerable include Ubuntu 24.04 LTS (kernel 6.17 on AWS images), Amazon Linux 2023, RHEL 10.1 and SUSE 16. Ubuntu 26.04 and later are not affected. If you manage the Linux kernel mainline, check the exact version you are running.
What to do
The first step is to update the kernel as soon as your distribution ships the fix. While you wait, two mitigations are reasonable:
- Disable the
algif_aeadmodule. Create a file at/etc/modprobe.d/disable-algif.confwith the lineinstall algif_aead /bin/trueto stop it from loading. If a legitimate application uses AF_ALG, test it in staging first. - On containers and Kubernetes clusters, block
AF_ALGsocket creation with seccomp policies. This is the most effective barrier against container escape.
Most workloads do not need AF_ALG at all, so disabling it rarely breaks anything. Even so, check your dependencies before applying it in production.
Source
- CERT-EU / Red Hat — High Vulnerability in the Linux Kernel (Copy Fail): https://cert.europa.eu/publications/security-advisories/2026-005/
- NVD — CVE-2026-31431: https://nvd.nist.gov/vuln/detail/CVE-2026-31431