Skip to content

OSG-SEC-2026-04-30 IMPORTANT Linux Kernel Copy Fail LPE Vulnerability

IMPORTANT Linux Kernel Copy Fail LPE Vulnerability

Dear OSG Security Contacts,

A critical local privilege escalation vulnerability (CVE-2026-31431), known as “Copy Fail,” has been identified in the Linux kernel. This issue allows an unprivileged local user to easily gain root privileges due to a logic flaw in the kernel crypto API. Public proof-of-concept (PoC) exploit code is available and demonstrates reliable exploitation across multiple Linux distributions.

IMPACTED VERSIONS:

Linux kernels built between 2017 and the upstream patch (April 2026) are affected. This includes most mainstream distributions unless updated with vendor-provided fixes.

WHAT ARE THE VULNERABILITIES:

“Copy Fail” is a logic flaw in the Linux kernel’s algif_aead implementation (AF_ALG interface), which can be exploited using splice() to overwrite page cache contents of privileged binaries.
- Local privilege escalation from an unprivileged user to root
- Reliable exploitation without race conditions or kernel-specific offsets
- Cross-environment impact, including shared systems and containerized workloads
- The vulnerability requires only a local user account and does not depend on special configurations. In demonstrated scenarios, the same exploit code successfully achieves root access across multiple Linux distributions.
- In most cases, exploitation modifies in-memory state such that subsequent use of privileged binaries (e.g., su) can result in unauthorized root access without authentication for any other user on the system.
- An indicator of active exploitation is that the process table will have an empty entry that shows up in the output of ps as a '?'. This can be searched for using the command ps aux | grep '?$'. More specifically, the 'cmdline' file under the /proc filesystem for a process will be empty.

WHAT YOU SHOULD DO:

Update system kernel to a version that includes the fix for CVE-2026-31431 (mainline commit a664bf3d603d or distribution-provided equivalent).

If patches are not yet available, disable the vulnerable algif_aead functionality:
- On Debian-based systems, unload and blacklist the algif_aead module.
- On RHEL-based systems, disable it via the kernel parameter initcall_blacklist=algif_aead_init and reboot.

For systems running untrusted workloads (e.g., containers, CI, multi-user environments), restrict AF_ALG socket access (e.g., via seccomp or BPF filters).
Prioritize patching and mitigation on shared systems, CI/CD infrastructure, and container platforms where unprivileged users have access.
As a temporary risk-reduction measure, consider limiting unprivileged user access on shared systems (e.g., SSH, HTCondor jobs, and other batch or scheduled workloads) until mitigations or patches are applied.
If exploitation is suspected, after your security incident response process is followed, systems should be rebooted to clear potentially corrupted in-memory state (page cache).
After mitigation, it is recommended to perform an audit of system accounts and search for potential root kits or new suid binaries that may have been installed. If you aren't already, it is recommended that you perform these checks on a regular basis.

REFERENCES:

[1] https://copy.fail/
[2] https://github.com/theori-io/copy-fail-CVE-2026-31431
[3] https://gitlab.cern.ch/ComputerSecurity/mitigations/cve-2026-31431
[4] https://nvd.nist.gov/vuln/detail/CVE-2026-31431

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team