CVE-2026-31431 Grants Local Root via Linux Page Cache Write

Security researchers from Theori and Xint Code publicly disclosed a high-severity local privilege escalation vulnerability in the Linux kernel that leaves systems exposed to unprivileged root takeovers. Tracked as CVE-2026-31431 and nicknamed Copy Fail, the logic flaw affects virtually every major Linux distribution running kernels from version 4.14 through 7.0-rc7.

The vulnerability is highly reliable and requires no specialized tools to exploit. A 732-byte Python proof-of-concept script released alongside the disclosure functions out-of-the-box on Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16.

Page Cache Memory Writes

The exploit targets the algif_aead module, which serves as the Authenticated Encryption with Associated Data (AEAD) socket interface for the Linux kernel’s userspace crypto API. In August 2017, kernel commit 72548b093ee3 introduced an in-place performance optimization for this module.

This optimization inadvertently permits data to be written directly into the kernel’s page cache. By combining an AF_ALG socket operation with the splice() system call, an attacker can execute a controlled 4-byte write to any readable file backed by the page cache.

Attackers use this mechanism to target critical setuid binaries, such as /usr/bin/su or /usr/bin/sudo. Because the modification occurs entirely within RAM and does not alter the physical disk, the binary’s hash remains unchanged. This allows the exploit to bypass standard File Integrity Monitoring (FIM) and disk-based detection systems while still stripping password checks from the modified binary.

Impact on Shared Workloads

Copy Fail presents an acute threat to environments executing untrusted code. Researchers successfully demonstrated a container escape utilizing the exploit, granting the attacker root access to the underlying host infrastructure.

If you run multi-tenant agents or operate shared CI/CD pipelines, build runners compromised via malicious pull requests can pivot to total host control. Windows Subsystem for Linux (WSL2) environments are also confirmed vulnerable.

Patch Status and Mitigation

The vulnerability was privately reported on March 23, 2026, and upstream patches were merged into the mainline kernel on April 1, 2026 via commit a664bf3d603d. Fixes are available in kernels 7.0, 6.19.12, 6.18.12, 6.12.85, and 6.6.137.

Despite the upstream availability, many distribution maintainers had not pushed updates to their stable repositories at the time of disclosure, leaving end users waiting for official patches.

If you cannot immediately update your kernel, you should block the vulnerable module entirely. Administrators can prevent the module from loading by adding install algif_aead /bin/false to /etc/modprobe.d/ and immediately unloading it via rmmod algif_aead. For systems where the module is compiled directly into the kernel, append the initcall_blacklist parameter to your boot configuration or use Seccomp and AppArmor profiles to block untrusted workloads from initiating AF_ALG sockets.