Copy Fail (CVE-2026-31431): Frequently asked questions about Linux kernel privilege escalation vulnerability
A flaw in the Linux kernel present since 2017 allows a local user to gain root access on virtually every major Linux distribution. A public exploit is available and reported to work reliably.
Key Takeaways
- CVE-2026-31431 is a high severity local privilege escalation vulnerability in the Linux kernel reportedly affecting virtually every major distribution released since 2017.
- A public exploit is available and reported to be reliable, drawing comparisons to previous high-profile Linux kernel privilege escalation flaws.
- Patched kernel versions are available, though some major distributions have not yet shipped updates.
Background
Tenable's Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding CVE-2026-31431, a Linux kernel local privilege escalation vulnerability dubbed "Copy Fail."
FAQ
When was Copy Fail first disclosed?
On March 23, researcher Taeyang Lee of Theori reported the vulnerability to the Linux kernel security team. The flaw was discovered in part using Theori's AI-assisted security scanning tool, Xint Code. A mainline patch was committed on April 1, CVE-2026-31431 was assigned on April 22 and public disclosure occurred on April 29.
What is CVE-2026-31431?
CVE-2026-31431 is a local privilege escalation vulnerability in the Linux kernel's cryptographic subsystem. It was assigned a CVSSv3 score of 7.8.
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2026-31431 | Linux Kernel Local Privilege Escalation Vulnerability | 7.8 |
The flaw allows a local user to modify the kernel's cached copy of a file in memory without changing the file on disk. By targeting a privileged binary, an attacker can gain root access. Because the modification exists only in the page cache, the underlying file on disk remains unchanged. Standard disk forensics would not detect the alteration, and clearing memory through a reboot or resource pressure causes the cache to reload from the original file. For a detailed technical breakdown, refer to the Xint Code blog post.
Everyone focuses on memory corruption bugs in the Linux kernel, but we shouldn’t overlook logical bugs. https://t.co/PrSI435i35
— 5unkn0wn (@5unKn0wn) April 30, 2026
How does Copy Fail compare to Dirty Cow and Dirty Pipe?
Copy Fail has drawn comparisons to two other well-known Linux kernel privilege escalation vulnerabilities: Dirty Cow (CVE-2016-5195) and Dirty Pipe (CVE-2022-0847). Both are in the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog.
Dirty Cow relied on a race condition, which meant exploitation could fail or require multiple attempts. Dirty Pipe had constraints around how data could be written and where in a file it could be modified. Copy Fail reportedly works consistently across distributions without relying on a race condition or write-position constraints.
How severe is CVE-2026-31431?
Any local user on a system running a vulnerable kernel can exploit this flaw to gain root access. The exploit uses kernel features that are enabled by default on most distributions and does not require special privileges or configuration.
The highest risk environments are those where multiple users or workloads share a Linux kernel: cloud and multi-tenant systems, container clusters and CI/CD pipelines that run untrusted code. Because the exploit targets the kernel's shared file cache, it can also cross container boundaries. On single-user systems, the risk is lower since an attacker would already need local access.
Which Linux distributions are affected?
Any Linux distribution shipping kernel 4.14 or later is affected. The vulnerability was introduced in 2017 and persisted across nearly a decade of kernel releases. Distribution patch status as of April 30:
| Distribution | Patch Status |
|---|---|
| Ubuntu | Patching |
| SUSE | Patching |
| Red Hat | Patching |
| Debian | Vulnerable |
| Amazon Linux | Vulnerable |
| Arch Linux | Patched |
Is there a proof-of-concept (PoC) available?
Yes. A public PoC was released on GitHub alongside the disclosure. The exploit is a short Python script that modifies a privileged binary in memory and then executes it to obtain root. It is reported to work reliably without requiring multiple attempts or precise timing.
Are there other vulnerabilities related to Copy Fail?
According to Theori, the same research effort that uncovered Copy Fail found additional security flaws in the kernel, at least one of which is also a privilege escalation issue. Those findings remain under coordinated disclosure. This blog will be updated if and when additional information becomes available.
Are patches or mitigations available?
Patched kernel versions have been released:
| Affected Kernel Version Range | Fixed Kernel Version |
|---|---|
| 4.14 | N/A |
| 5.10.* | 5.10.254 |
| 5.15.* | 5.15.204 |
| 6.1.* | 6.1.170 |
| 6.6.* | 6.6.137 |
| 6.12.* | 6.12.85 |
| 6.18.* | 6.18.22 |
| 6.19.12 | 6.19.12 |
| >7.0 | 7.0 |
The fix removes the 2017 optimization that allowed the vulnerability, restoring a safer separation between read and write operations in the kernel's crypto interface.
For systems where an immediate kernel update is not feasible, two workarounds are available depending on kernel configuration.
If the module is loaded dynamically (CONFIG_CRYPTO_USER_API_AEAD=m):
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
rmmod algif_aead 2>/dev/null || trueIf the module is compiled into the kernel (CONFIG_CRYPTO_USER_API_AEAD=y), which is the case on some enterprise kernels, the above will not work. Contributors on the oss-security mailing list have reported that adding the following to the kernel boot parameters and rebooting blocks the exploit:
initcall_blacklist=algif_aead_initDiscussion on the oss-security mailing list has also identified several userspace applications that use the affected kernel interface, including but not limited to, cryptsetup and firefox-esr. In practice, initial testing by contributors on the thread has not caused these applications to fail, but the impact may vary by workload. Testing in a non-production environment before deploying either workaround is advisable.
Historical exploitation of Linux kernel vulnerabilities
The Linux kernel has a long history as a target for privilege escalation attacks. CISA's KEV catalog contains over 20 entries for Linux kernel flaws, including the two flaws most commonly compared to Copy Fail:
| CVE | Description | Date Added to KEV | Known Ransomware Use |
|---|---|---|---|
| CVE-2016-5195 | Linux Kernel Race Condition (Dirty Cow) | 2022-03-03 | Unknown |
| CVE-2022-0847 | Linux Kernel Improper Initialization (Dirty Pipe) | 2022-04-25 | Unknown |
As of April 30, CVE-2026-31431 is not listed in the KEV catalog.
Has Tenable Research classified this as part of Vulnerability Watch?
Yes, we classified CVE-2026-31431 as a Vulnerability of Interest under Vulnerability Watch due to the availability of a public proof-of-concept exploit and historical exploitation of similar Linux kernel vulnerabilities like Dirty Cow and Dirty Pipe that were exploited in the wild.
Has Tenable released any product coverage for this vulnerability?
A list of Tenable plugins for this vulnerability can be found on the CVE-2026-31431 page as they're released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.
Get more information
- Copy Fail Advisory
- Xint Code Blog: Copy Fail Linux Distributions
- The Register: Linux Cryptographic Code Flaw
- oss-security: CVE-2026-31431 Disclosure
Join Tenable's Research Special Operations (RSO) Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Satnam Narang
Senior Staff Research Engineer, Security Response
Satnam joined Tenable in 2018. He has over 15 years experience in the industry (M86 Security and Symantec). He contributed to the Anti-Phishing Working Group, helped develop a Social Networking Guide for the National Cyber Security Alliance, uncovered a huge spam botnet on Twitter and was the first to report on spam bots on Tinder. He's appeared on NBC Nightly News, Entertainment Tonight, Bloomberg West, and the Why Oh Why podcast.
Interests outside of work: Satnam writes poetry and makes hip-hop music. He enjoys live music, spending time with his three nieces, football and basketball, Bollywood movies and music and Grogu (Baby Yoda).
Related articles
Bridging the gap: How to integrate Claude Security into the Tenable One Exposure Management Platform
Bridge the gap between AI-driven vulnerability discovery and prioritized remediation. Learn how to integrate Claude Security’s deep-logic analysis into Tenable One to unify your attack surface, eliminate noise, and focus on the risks that matter most.
Mastering agentic AI security through exposure management
As AI tools evolve from siloed chatbots to autonomous, hyperconnected systems, they create a vast new attack surface. Discover how to manage this risk by focusing on visibility, agency, and semantic security to protect your organization’s increasingly complex landscape of agentic AI systems.
As the NVD scales back CVE enrichment, here’s what Tenable customers need to know
NIST’s shift toward selective CVE enrichment creates significant visibility gaps for teams relying solely on the National Vulnerability Database. As AI accelerates vulnerability disclosure rates, organizations need independent, high-fidelity intelligence to prioritize risks that the NVD may now…
- Exposure Management
- Vulnerability Management