Vulnerabilities

Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years

6 min read

Executive Summary

On April 29, 2026, researchers publicly disclosed a highly reliable local privilege escalation (LPE) vulnerability tracked as CVE-2026-31431. This vulnerability is commonly referred to as Copy Fail. Discovered in about an hour through an AI-assisted process, this logic flaw allows an unprivileged local attacker to consistently escalate their access to root across virtually all major Linux distributions released since 2017.

Unlike many kernel vulnerabilities, this logic flaw is deterministic, meaning it does not rely on race conditions or specific kernel offsets. A single 732-byte Python script can successfully exploit it without any modification across different Linux distributions.

The vulnerability originates in the Linux kernel's cryptographic subsystem, specifically within the algif_aead module of the AF_ALG interface (a user space crypto API). Rather than a single coding error, the flaw resulted from a combination of three independent updates:

The addition of the authencesn algorithm in 2011
The AF_ALG interface gaining AEAD support in 2015
A fatal in-place optimization introduced in 2017

During cryptographic operations, an in-place optimization bug causes the algorithm to use the destination buffer improperly, writing four controlled bytes past the legitimate region directly into the system's file page cache. Impacted versions include Linux kernels between 4.14 and 6.19.12.

This vulnerability affects millions of systems running mainstream distributions such as Ubuntu, Amazon Linux, Red Hat Enterprise Linux, Debian, SUSE and AlmaLinux. An attacker with standard local access can exploit this vulnerability to maliciously modify the in-memory cache of privileged executable files (like su or sudo) without alerting integrity checks, as the physical files on disk remain unchanged. Because the kernel and its page cache are shared across an entire node, this flaw allows attackers to:

Easily break out of Kubernetes containers
Overtake multi-tenant hosts
Compromise continuous integration and continuous delivery (CI/CD) pipelines

We strongly urge organizations to patch their systems immediately by applying vendor-issued kernel updates.

Palo Alto Networks customers receive protections from and mitigations for CVE-2026-31431 through the following products:

Cortex Cloud
Cortex XDR and XSIAM

The Linux Foundation has posted an advisory with mitigation details for CVE-2026-314331. Palo Alto Networks highly recommends applying vendor-issued kernel updates immediately. If this option is not feasible, we recommend following interim mitigation guidance to disable the vulnerable module until patches can be applied.

The Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk.

Vulnerabilities Discussed

CVE-2026-31431

Details of CVE-2026-31431

The vulnerability tracked as CVE-2026-31431, known as Copy Fail, is a deterministic logic flaw located in the Linux kernel's cryptographic subsystem, specifically within the algif_aead module of the AF_ALG interface.

The Root Cause

The flaw originates from a buggy in-place optimization introduced to the Linux kernel in 2017 (commit 72548b093ee3) for AEAD encryption. This 2017 in-place optimization specifically caused req->src and req->dst to point to a combined scatterlist. Because of this, the page cache pages from the splice() call were improperly chained directly into the writable destination scatterlist.

During cryptographic operations, the authencesn algorithm improperly uses the caller's destination buffer as a scratch pad. Because of this, it writes four controlled bytes past the legitimate output region, crossing a chained scatterlist boundary, and fails to restore them. The patch (commit a664bf3d603d) fixes this by reverting the module to out-of-place operation, separating the source and destination scatterlists so that the page cache pages remain strictly in the read-only source.

Mechanism of Action

An unprivileged attacker can exploit this memory handling error by misusing the interaction between the AF_ALG socket interface and the splice() system call. When splice() hands page-cache pages into the crypto subsystem, the vulnerability allows the attacker to direct that four-byte overwrite straight into the kernel's file page cache.

The authencesn algorithm is used for IPsec extended sequence number (ESN) support and uses the destination buffer as a scratch pad to rearrange these sequence numbers. The attacker controls the exact four-byte overwrite value by supplying the seqno_lo (the low half of the sequence number) inside bytes 4–7 of the Associated Authenticated Data (AAD) during the sendmsg() call.

Exploitation Via the Page Cache

The page cache is the temporary in-memory copy of a file that the kernel reads when it loads a binary for execution. An attacker can leverage the four-byte overwrite to target the page cache of any readable setuid-root binary, such as /usr/bin/su, sudo or passwd.

The attacker controls exactly where the overwrite happens by manipulating the splice offset, the splice length and the assoclen (associated length) parameters. This allows them to specifically target the .text section of a setuid binary like /usr/bin/su to inject their shellcode.

Privilege escalation: Modifying the cached copy of the binary alters its execution context. When the binary is executed, it grants the attacker superuser (UID 0) privileges, effectively breaking the kernel's trust boundaries.
Stealth: Because this corruption occurs entirely in the system's RAM, the physical file on the disk remains completely unmodified. This bypasses traditional virtual file system (VFS) paths and file integrity monitoring tools. Once the page is evicted from memory or the system reboots, the cache reloads clean from the disk, leaving no trace of the compromise.

Exploit Characteristics

What makes Copy Fail exceptionally severe compared to previous Linux LPE vulnerabilities like Dirty Cow or Dirty Pipe is its reliability and simplicity:

No race conditions or offsets: It is a straight-line logic flaw that does not rely on winning a race condition window or guessing kernel-specific memory offsets.
100% reliability: The exploit is deterministic and fires successfully on the first attempt.
High portability: The exploit can be executed using a standalone 732-byte Python script that relies solely on standard libraries (os, socket, zlib), meaning no compilation or external dependencies are required. This same script works unmodified across virtually all major Linux distributions shipped since 2017.

Interim Guidance for CVE-2026-31431

The vulnerability has been resolved in upstream Linux kernel stable branches by reverting the flawed 2017 optimization (commit a664bf3d603d).

If immediate patching is not possible, administrators should implement an interim mitigation by disabling the affected algif_aead module. This can be accomplished by running the following commands as root to block the module's loading and remove it from the kernel:

echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
rmmod algif_aead

The Linux Foundation has posted an advisory with mitigation details for CVE-2026-314331.

Unit 42 Managed Threat Hunting Queries

The Unit 42 Managed Threat Hunting team continues to track any attempts to exploit this CVE across our customers, using Cortex XDR and the XQL queries below. Cortex XDR customers can also use these XQL queries to search for signs of exploitation.

// Title: CopyFail Detection via Non-root Launching su via Uncommon Parent Process
// Description: Query looks for non-root users launching the switch user (su) process via a parent process other than the normally expected processes such as shells, sudo, or su itself. May identify false positives, yet works well for identification of potential CopyFail exploitation.
// MITRE ATT&CK TTP ID: T1068

dataset = xdr_data
| fields _time, agent_hostname, agent_os_type, event_type, event_sub_type, actor_effective_username, actor_effective_user_sid, actor_process_image_path, actor_process_image_name, actor_process_command_line, actor_process_image_sha256, action_process_image_name, action_process_image_command_line, action_process_user_sid
| filter
    event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START
    and agent_os_type = ENUM.AGENT_OS_LINUX
    and actor_effective_user_sid != "0"
    and (
        (action_process_image_name = "su" and action_process_image_command_line in ("su", "/usr/bin/su"))
        or (action_process_image_name in ("bash", "sh") and action_process_image_command_line ~= "-c(?:\s--)?\ssu$")
    )
   and actor_process_image_name not in ("bash", "sh", "zsh", "ksh", "sudo", "su")
| comp earliest(_time) as first_seen, latest(_time) as last_seen, count() as execution_count, values(actor_effective_username) as actor_usernames,  values(actor_process_image_path) as actor_image_paths, values(actor_process_command_line) as actor_cmd_lines, values(action_process_image_command_line) as action_cmd_lines, values(action_process_user_sid) as action_UIDs by agent_hostname, actor_process_image_name, actor_process_image_sha256

// Title: CopyFail Detection via Non-root Launching su via Uncommon Parent Process

// Description: Query looks for non-root users launching the switch user (su) process via a parent process other than the normally expected processes such as shells, sudo, or su itself. May identify false positives, yet works well for identification of potential CopyFail exploitation.

// MITRE ATT&CK TTP ID: T1068

dataset = xdr_data

| fields _time, agent_hostname, agent_os_type, event_type, event_sub_type, actor_effective_username, actor_effective_user_sid, actor_process_image_path, actor_process_image_name, actor_process_command_line, actor_process_image_sha256, action_process_image_name, action_process_image_command_line, action_process_user_sid

| filter

event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START

and agent_os_type = ENUM.AGENT_OS_LINUX

and actor_effective_user_sid != "0"

and (

(action_process_image_name = "su" and action_process_image_command_line in ("su", "/usr/bin/su"))

or (action_process_image_name in ("bash", "sh") and action_process_image_command_line ~= "-c(?:\s--)?\ssu$")

)

and actor_process_image_name not in ("bash", "sh", "zsh", "ksh", "sudo", "su")

| comp earliest(_time) as first_seen, latest(_time) as last_seen, count() as execution_count, values(actor_effective_username) as actor_usernames, values(actor_process_image_path) as actor_image_paths, values(actor_process_command_line) as actor_cmd_lines, values(action_process_image_command_line) as action_cmd_lines, values(action_process_user_sid) as action_UIDs by agent_hostname, actor_process_image_name, actor_process_image_sha256

// Title: CopyFail Proof of Concept Code Execution
// Description: Query looks for potential CopyFail proof of concept (POC) code execution via identifying potentially correlated curl and su process executions. May identify false positives, yet works well for identification of CopyFail POC provided by Xint.Code.
// MITRE ATT&CK TTP ID: T1068

config case_sensitive = false
| dataset = xdr_data
| filter agent_os_type = ENUM.AGENT_OS_LINUX
| filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START
| filter action_process_image_name in ("curl", "su")
| bin _time span = 2m
| filter action_process_image_command_line contains "copy.fail/exp" or (action_process_image_command_line = "su" or action_process_image_command_line ="/usr/bin/su")
| fields _time, agent_id, event_id, agent_hostname, action_process_image_command_line, action_process_image_name, actor_process_instance_id
| comp count() as event_count, values(agent_id) as agent_id, values(event_id) as event_id, values(action_process_image_name) as processes, values(action_process_image_command_line) as commands by agent_hostname, _time, actor_process_instance_id
| filter processes contains "su" and processes contains "curl"

// Title: CopyFail Proof of Concept Code Execution

// Description: Query looks for potential CopyFail proof of concept (POC) code execution via identifying potentially correlated curl and su process executions. May identify false positives, yet works well for identification of CopyFail POC provided by Xint.Code.

// MITRE ATT&CK TTP ID: T1068

config case_sensitive = false

| dataset = xdr_data

| filter agent_os_type = ENUM.AGENT_OS_LINUX

| filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START

| filter action_process_image_name in ("curl", "su")

| bin _time span = 2m

| filter action_process_image_command_line contains "copy.fail/exp" or (action_process_image_command_line = "su" or action_process_image_command_line ="/usr/bin/su")

| fields _time, agent_id, event_id, agent_hostname, action_process_image_command_line, action_process_image_name, actor_process_instance_id

| comp count() as event_count, values(agent_id) as agent_id, values(event_id) as event_id, values(action_process_image_name) as processes, values(action_process_image_command_line) as commands by agent_hostname, _time, actor_process_instance_id

| filter processes contains "su" and processes contains "curl"

Conclusion

Based on the amount of publicly available information, the ease of use and the effectiveness of the Copy Fail exploit, Palo Alto Networks highly recommends applying vendor-issued kernel updates immediately. If this option is not feasible, we recommend following interim mitigation guidance to disable the vulnerable module until patches can be applied.

This is especially important, given that a highly reliable proof-of-concept (PoC) script is already publicly available and preliminary testing activity has been observed.

Palo Alto Networks customers are better protected by our products, as listed below.

Palo Alto Networks Product Protections for CVE-2026-31431

Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat.

Cortex XDR and XSIAM

Cortex XDR and XSIAM help protect against the threats described in this article, using the multi-layer protection approach, including Advanced WildFire, Endpoint Protection Modules (EPM), Behavioral Threat Protection and the Local Analysis module.

Cortex Cloud

Cortex Cloud endpoint protection can help protect organizations from threats expressed within this article. Cortex Cloud 2.1 can detect and prevent malicious operations using behavioral and AI-enabled analytics to detect when attackers target Linux endpoints, including containers and virtual machines. Additionally, it can detect when cloud platform IAM policies associated with those targeted endpoints are being misused and alert teams when assets are vulnerable to these threats.

If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
UK: +44.20.3743.3660
Europe and Middle East: +31.20.299.3130
Asia: +65.6983.8730
Japan: +81.50.1790.0200
Australia: +61.2.4062.7950
India: 000 800 050 45107
South Korea: +82.080.467.8774

Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years

Executive Summary