CVE-2026-31431: Linux Kernel Privilege Escalation (Copy Fail)¶
Introduction¶
CVE-2026-31431, nicknamed Copy Fail, is a high-severity vulnerability in the Linux kernel's cryptographic socket interface. It allows a local unprivileged user to escalate privileges to root. The vulnerability affects Linux kernels since version 4.x and was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on May 1, 2026, confirming active exploitation.
This article explains what the vulnerability is, which systems are affected, how to check your systems, and how to apply the patch.
Vulnerability Summary¶
| Field | Detail |
|---|---|
| CVE ID | CVE-2026-31431 |
| Nickname | Copy Fail |
| Component | Linux kernel — algif_aead module, af_alg socket interface |
| Type | Use-after-free |
| Impact | Local privilege escalation to root |
| CVSS Score | 7.8 (High) |
| Attack vector | Local |
| Authentication required | Low-privileged local user |
| Upstream fix | April 1, 2026 (mainline commit a664bf3d603d) |
| CISA KEV | Added May 1, 2026 |
| Red Hat patches | Available from May 4, 2026 |
What Is Affected?¶
The vulnerability exists in the algif_aead module, part of the kernel's AF_ALG (Linux Crypto API) socket interface. This subsystem is present in all mainstream Linux kernels since version 4.x (released 2017).
Affected distributions include:
- Red Hat Enterprise Linux 7, 8, 9
- CentOS Stream
- Rocky Linux
- AlmaLinux
- Fedora
- Ubuntu LTS releases
- Debian
- SUSE Linux Enterprise Server
- CloudLinux
Any system running an unpatched kernel from this era should be considered affected until confirmed otherwise.
Why This Matters¶
Local privilege escalation vulnerabilities are especially significant in:
- Multi-user servers where multiple accounts exist
- CI/CD runners where build jobs run as unprivileged users
- Bastion hosts and jump servers with SSH access from multiple engineers
- Container hosts where a container breakout combined with this vulnerability could lead to full host compromise
- Shared hosting environments with untrusted tenant workloads
A low-privileged attacker who already has a shell on the system — through a web application vulnerability, stolen credentials, or misconfigured SSH — can use this vulnerability to gain full root access.
The CISA KEV listing confirms this is not theoretical risk. Exploitation has been observed in the wild.
How to Check Your System¶
Check your running kernel version¶
uname -r
5.14.0-427.el9.x86_64
Compare the running kernel against your distribution's patched kernel version. See the Distribution-Specific Notes section below.
Check your OS and distribution release¶
cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="9.4 (Plow)"
ID="rhel"
VERSION_ID="9.4"
Check for available security updates — RHEL/Fedora/Rocky/AlmaLinux¶
sudo dnf updateinfo list security | grep kernel
Check for available security updates — Ubuntu/Debian¶
sudo apt update
sudo apt list --upgradable | grep linux-image
Check if the algif_aead module is loaded¶
lsmod | grep algif_aead
If this returns output, the module is currently loaded. Note that it may be loaded on demand even if not shown here.
How to Patch or Mitigate¶
Option 1: Apply the kernel patch (recommended)¶
RHEL, Rocky Linux, AlmaLinux, CentOS Stream:
sudo dnf update kernel
sudo reboot
Ubuntu and Debian:
sudo apt update
sudo apt upgrade
sudo reboot
Fedora:
sudo dnf update kernel
sudo reboot
A reboot is required. The new kernel only becomes active after restarting the system.
Option 2: Temporary workaround (no reboot required)¶
If you cannot reboot immediately, a temporary workaround is available. Add the following to the kernel boot parameters to prevent the vulnerable module from initialising:
initcall_blacklist=algif_aead_init
To apply this without a reboot, you can attempt to unload the module if it is currently loaded:
sudo modprobe -r algif_aead
If the module is in use, the command will fail. In that case, the boot parameter workaround requires a reboot to take effect. This workaround is temporary. Apply the full kernel patch at the earliest opportunity.
How to Verify the Fix¶
After rebooting, confirm the updated kernel is running:
uname -r
Compare the output against the expected patched kernel version for your distribution. For RHEL 9, for example, verify against the version listed in the relevant Red Hat Security Advisory.
On RHEL-based systems, you can also confirm the advisory has been applied:
sudo dnf updateinfo info security | grep CVE-2026-31431
Distribution-Specific Notes¶
Red Hat Enterprise Linux¶
Red Hat published patches starting May 4, 2026. Check Red Hat's security advisories portal for the specific RHSA number for your RHEL version. RHEL 7 customers should verify extended support coverage.
sudo dnf updateinfo list cves | grep CVE-2026-31431
Ubuntu¶
Ubuntu Security Notices (USNs) are published at ubuntu.com/security/notices. Check for USNs referencing CVE-2026-31431 for your Ubuntu release.
sudo apt update
sudo apt-cache policy linux-image-$(uname -r)
Debian¶
Check Debian Security Advisories (DSA) for advisories referencing CVE-2026-31431.
SUSE Linux Enterprise Server¶
SUSE advisories are available via the SUSE Security portal. SUSE customers can apply patches via:
sudo zypper update kernel-default
sudo reboot
Common Mistakes¶
- Not rebooting after the kernel update.
uname -rwill still show the old kernel until you reboot. The patch has no effect until the system restarts. - Applying the workaround and assuming you are safe. The
initcall_blacklistworkaround reduces exposure but is not a permanent fix. Patch and reboot as soon as possible. - Assuming containers are isolated. The Linux kernel is shared between the host and all containers. A container process that can execute arbitrary code can potentially use a kernel privilege escalation vulnerability.
- Skipping RHEL 7 or older systems. These systems are also affected. Verify support status and apply patches or mitigations accordingly.
Quick Checklist¶
- [ ] Identify all Linux systems running kernel versions 4.x through current unpatched versions
- [ ] Check for available kernel updates on each system
- [ ] Apply the kernel patch
- [ ] Reboot each system
- [ ] Verify the updated kernel is running with
uname -r - [ ] Apply the temporary workaround on systems that cannot be rebooted immediately
- [ ] Review CISA KEV entry and your organisation's patch SLA for KEV items
Related Guides¶
- Latest Linux Vulnerabilities Administrators Should Watch
- CVE-2026-46333 Linux Kernel ptrace Race Condition
- Linux Patch Management Security
- DNF Security Updates
References¶
- NVD — CVE-2026-31431
- Red Hat Security Advisory RHSB-2026-002
- CISA Known Exploited Vulnerabilities — CVE-2026-31431
- Tenable — CVE-2026-31431 Copy Fail FAQ
Summary¶
CVE-2026-31431 is an actively exploited local privilege escalation vulnerability in the Linux kernel cryptographic subsystem. Any unprivileged local user can exploit it to gain root access. The fix is a kernel update followed by a reboot. A temporary workaround exists via the initcall_blacklist=algif_aead_init kernel boot parameter. All administrators running affected systems should treat this as a priority patch given the CISA KEV listing.