vulnerabilities · jun 28, 2026 · 12:15 utc
CVE-2026-31431 Copy Fail: Linux Privilege Escalation Flaw
A 732-byte Python script exploits CVE-2026-31431 (CVSS 7.8) to grant root on Ubuntu, RHEL, and Amazon Linux. CISA mandates federal patching by May 15, 2026.
by Emanuel De Almeida
TL;DR
- CVE-2026-31431 ('Copy Fail') is a Linux kernel local privilege escalation flaw with a CVSS score of 7.8, publicly disclosed April 29, 2026.
- A 732-byte Python proof-of-concept exploits it with reported 100% reliability against Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16.
- Every mainstream Linux kernel built between August 9, 2017 and March 31, 2026 is affected - nearly nine years of releases.
- CISA ordered federal agencies to patch by May 15, 2026 under Binding Operational Directive 22-01.
- Fixed kernel versions are 6.18.22, 6.19.12, and 7.0; Red Hat shipped its RHEL-9 fix on May 4, 2026.
What Is CVE-2026-31431 and Why Does It Matter for Linux Privilege Escalation?
CVE-2026-31431 is a local privilege escalation flaw in the Linux kernel's `algif_aead` cryptographic module, scoring 7.8 (High) on the CVSS scale. Disclosed on April 29, 2026, the bug lets any unprivileged local user write four bytes of attacker-controlled data into the kernel page cache. That small overwrite is enough to reach root.
Researchers at CERT/CC describe the exploit as a controlled 4-byte overwrite triggered by a 732-byte Python proof-of-concept script. They rated it 100% reliable in testing. No race condition, no heap spray, no complex chaining - the exploit reliability distinguishes this from most kernel CVEs and converts a theoretical bug into an immediate operational threat.
To put the disclosure in context: Swif's analysis of NIST NVD data shows the NVD recorded 3,529 Linux kernel CVEs in 2024, with new kernel CVEs arriving at roughly 8 to 9 per day in 2025 and 2026. Most never produce a working public exploit. This one did, within days of disclosure.
Who Is Affected by This Linux Local Privilege Escalation?
Almost every Linux system built since mid-2017 is in scope. According to NHS England Digital, the vulnerable code window spans from kernel commit 72548b093ee3 (August 9, 2017) to commit a664bf3d603d (March 31, 2026). Any distribution shipping a kernel in that range carries the flaw.
Microsoft Security Blog assessed that CVE-2026-31431 impacts a significant portion of cloud Linux workloads and millions of Kubernetes clusters, with preliminary in-the-wild testing activity already observed and expected to accelerate. Swif, citing W3Techs data, reports Linux powers 61.1% of all websites with an identifiable OS - which illustrates the scale of the exposed surface.
The following distributions are confirmed affected:
Distribution | Affected Versions | Fixed Kernel | Patch Command |
|---|---|---|---|
Ubuntu | All releases before Resolute 26.04 | Vendor kernel update | |
Red Hat Enterprise Linux | RHEL 9 and earlier (kernels from 2017-2026 window) | RHEL-specific build (May 4, 2026) | |
SUSE Linux Enterprise | Kernels from 2017-2026 window | SUSE vendor update | |
Amazon Linux | Amazon Linux 2023 and earlier in window | AWS vendor update | |
Canonical / Ubuntu specifically confirmed that in container deployments the vulnerability may also facilitate container escape scenarios, beyond local root escalation on non-container hosts.
Why Is the Copy Fail Exploit So Dangerous?
The proof-of-concept requires no special privileges and fits in under a kilobyte of Python. Most kernel exploits demand complex memory manipulation across many steps. This one does not. Verified testing confirmed root access on Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16 - four of the most widely deployed enterprise Linux variants.
Kaspersky, reported via The Hacker News, noted that Go and Rust versions of the original Python PoC have already appeared in open-source repositories. Exploitation requires no race conditions and no memory address guessing, which lowers the entry barrier for attackers significantly.
The attack surface expands sharply in shared environments. Any tenant on a multi-user system, any container with access to the host kernel's algif_aead interface, or any developer with SSH access becomes a potential escalation path. For teams managing Kubernetes nodes - see our notes on monitoring Linux system health from the terminal - the exposure extends to every unpatched node in a cluster.
When our team reviewed the CERT/CC advisory and the published PoC structure, the absence of any probabilistic element - no timing window, no retry loop - confirmed that the 100% reliability claim is consistent with the exploit's design. This is not a marginal finding.
What Did CISA and Regulators Do?
CISA added CVE-2026-31431 to its Known Exploited Vulnerabilities catalog on May 1, 2026, two days after public disclosure. The formal CISA alert set a mandatory remediation deadline of May 15, 2026 for all Federal Civilian Executive Branch agencies under Binding Operational Directive 22-01. A 14-day window signals that CISA assessed active exploitation as ongoing, not merely anticipated.
CISA's KEV listing carries weight beyond federal mandates. Private-sector security teams treat it as a reliable signal that real attackers are using the technique - not just researchers. For context on how quickly exploitation windows close after KEV listing, compare the response timeline for CVE-2026-12569: PTC Windchill RCE Exploited, CISA Warns, where a similar two-week window applied.
Red Hat Customer Portal confirmed that despite rating the severity as Important rather than Critical, Red Hat expedited fixes across all affected products. All fixes are now available. CERT-EU independently confirmed the CVSS 7.8 score and noted that disabling the algif_aead module as an interim workaround does not affect dm-crypt/LUKS, IPsec, OpenSSL, GnuTLS, or SSH.
How Do You Patch CVE-2026-31431 Right Now?
Patches exist across all major distributions and are ready to deploy. Work through this list in order:
- Identify your kernel version on every Linux host:
uname -r- Upgrade to a fixed kernel - target
6.18.22,6.19.12, or7.0for upstream builds.
- RHEL users - apply the patch released May 4, 2026. See the Red Hat Customer Portal advisory for RHEL-9 specifics:
sudo dnf update kernel- Ubuntu, SUSE, and Amazon Linux users - apply the latest kernel update via your vendor's security channel without delay.
- Restrict `algif_aead` module loading as a temporary mitigation where patching cannot happen immediately:
echo 'install algif_aead /bin/false' | sudo tee /etc/modprobe.d/disable-algif-aead.conf
sudo rebootCERT-EU confirmed this workaround does not break dm-crypt/LUKS, IPsec, OpenSSL, GnuTLS, or SSH.
- Audit Kubernetes nodes - enumerate node OS versions and prioritize any node running a kernel from the 2017-2026 window:
kubectl get nodes -o wide- Review access logs for unexpected
su,sudo, orsetuidevents that may indicate prior exploitation.
For teams managing scheduled maintenance windows, our crontab guide for sysadmins covers automating kernel update jobs safely. If you run containerized infrastructure, the Portainer CE on Debian guide walks through verifying container host kernel versions from the web UI.
The Verizon 2025 Data Breach Investigations Report, as cited by Swif, found a median time to patch of 32 days across organizations - well beyond the May 15 CISA deadline. Teams that treat this as a standard patch cycle will miss the window.
For teams evaluating privilege management controls alongside patching, Microsoft Entra PIM configuration is one layer that reduces lateral movement risk after an initial local escalation. Also worth reviewing: the active exploitation pattern for CVE-2026-20253: Critical Splunk RCE shows how quickly threat actors chain local access with remote footholds once a reliable PoC circulates.
Frequently Asked Questions
Does this affect virtual machines and cloud instances?
Yes. Microsoft Defender's analysis confirmed that cloud Linux workloads are directly in scope. Any VM running an affected kernel on AWS, Azure, or GCP is vulnerable. The flaw lives in the kernel itself, not in hardware, so virtualization provides no protection against a local attacker with guest-level access.
Can the `algif_aead` module be disabled without breaking applications?
For most servers, yes. The algif_aead module provides a userspace interface to kernel AEAD cryptographic operations. General-purpose web servers, databases, and containerized workloads rarely call it directly. CERT-EU confirmed the disable workaround does not affect dm-crypt/LUKS, IPsec, OpenSSL, GnuTLS, or SSH.
Is a CVSS 7.8 score high enough to prioritize over other patches?
In this case, yes. CVSS 7.8 reflects local-only access requirements, which limits the base score. However, the near-universal distribution of affected kernels, the confirmed 100% reliable exploit, and CISA's active exploitation flag place this above many remote-code-execution bugs scoring above 9.0 in practical risk terms.
How long was this bug present in production systems?
Approximately nine years. The vulnerable code entered the kernel on August 9, 2017. Developers did not correct it until commit a664bf3d603d on March 31, 2026. Any system that never received a post-fix kernel during that period carried this escalation path silently the entire time.
Are Go and Rust exploit versions already circulating?
Yes. The Hacker News, citing Kaspersky research, confirmed that Go and Rust ports of the original Python PoC have appeared in open-source repositories. The absence of race conditions or memory guessing in the exploit design means these ports are straightforward to produce and use.
source: news.google.com
