Linux kernel Copy Fail flaw allows easy root access
Updated
Updated · ZDNet · May 5
Linux kernel Copy Fail flaw allows easy root access
13 articles · Updated · ZDNet · May 5
Tracked as CVE-2026-31431, the bug affects kernels 4.14 to 6.19.12 since 2017 and was found by Xint Code with Theori researcher Taeyang Lee.
The vulnerability abuses the AF_ALG socket interface and splice() to overwrite four bytes in the kernel page cache, enabling modification of in-memory setuid binaries such as su.
Researchers said the exploit is more reliable than race-condition attacks, putting millions of systems at risk; mitigation includes installing patched kernels or disabling and unloading the algif_aead module.
How did a performance 'fix' create a critical Linux flaw that went unnoticed for nearly a decade?
With exploits targeting memory to bypass file checks, is traditional system security becoming obsolete?
If AI can find decade-old bugs in Linux, what critical software flaws will it uncover next?
Urgent Patch Required: Linux Kernel CVE-2026-31431 Allows Local Attackers to Escalate to Root and Escape Containers
Overview
Disclosed on April 29, 2026, the Copy Fail vulnerability is a critical local privilege escalation flaw in Linux kernels since 2017. It allows attackers with low-level local access to modify in-memory caches of setuid-root binaries, gaining full root privileges without altering disk files. This flaw is especially dangerous in cloud and container environments, enabling container escapes and cross-tenant compromises. Its exploitation is reliable, stealthy, and difficult to detect, using legitimate system calls. Major vendors have issued patches, and urgent patching and system reboots are essential to prevent widespread attacks. The discovery, aided by AI tools, highlights the need for stronger kernel security and improved isolation in cloud infrastructures.