New Linux 'Copy Fail' Vulnerability Enables Root Access on Major Distributions
thehackernews.com
CVE-2026-31431 CVSS 7.8 flaw since 2017 enables root via 732-byte exploit, impacting major Linux distributions.

cross-posted from: https://lemmy.world/post/46310739

cross-posted from: https://lemmy.world/post/46310733

Cybersecurity researchers have disclosed details of a Linux local privilege escalation (LPE) flaw that could allow an unprivileged local user to obtain root.

The high-severity vulnerability tracked as CVE-2026-31431 (CVSS score: 7.8) has been codenamed Copy Fail by Xint.io and Theori.

“An unprivileged local user can write four controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root,” the vulnerability research team at Xint.io and Theori said.

At its core, the vulnerability stems from a logic flaw in the Linux kernel’s cryptographic subsystem, specifically within the algif_aead module. The issue was introduced in a source code commit made in August 2017.

Successful exploitation of the shortcoming could allow a simple 732-byte Python script to edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017, including Amazon Linux, RHEL, SUSE, and Ubuntu. The Python exploit involves four steps -

  • Open an AF_ALG socket and bind to authencesn(hmac(sha256),cbc(aes))
  • Construct the shellcode payload
  • Trigger the write operation to the kernel’s cached copy of “/usr/bin/su”
  • Call execve(“/usr/bin/su”) to load the injected shellcode and run it as root

While the vulnerability is not remotely exploitable in isolation, a local unprivileged user can get root simply by corrupting the page cache of a setuid binary. The same primitive also has cross-container impacts as the page cache is shared across all processes on a system.

  • bad1080@piefed.socialEnglish
    1·
    16 hours ago

    so judging from this: https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available
    i should be affected (v25.10):
    kmod 34.2-2ubuntu1.1
    but even after running the updates and rebooting the version hasn’t changed…
    ii kmod 34.2-2ubuntu1.1 amd64 tools for managing Linux kernel modules

    and i don’t get how the kmod version is relevant as it should be the kernel number, no? which is:
    Kernel: Linux 6.17.0-23-generic
    for me

    edit: i just realized it says “Fixed Version” on top, this couldn’t be more confusing if they tried…

      • bad1080@piefed.socialEnglish
        2·
        13 hours ago

        ah ok, so it is just mitigated by this and not fixed like with a kernel update, do i understand this right?

        • ozymandias117@lemmy.worldEnglish
          1·
          10 hours ago

          Edit: to be clear, this advice is specific to Ubuntu. If you come across this and need advice for a different distro, message me or reply to this

          Yes.

          Ubuntu doesn’t follow upstream kernels, so they will have to make a custom backport for 6.17 to fix the kernel

          It’s very unlikely you need the module that has the bug, so the mitigation should work for you

          Just double check lsmod | grep aead

          As long as that module is not loaded, and you have the kmod update that adds /etc/modprobe.d/disable-algif.conf you’re protected