CVE-2026-31431, publicly known as CopyFail, is a recently disclosed Linux kernel local privilege escalation vulnerability. It affects the Linux kernel’s cryptographic subsystem, specifically the algif_aead component connected to the kernel’s userspace crypto API. While it is not a remote code execution vulnerability by itself, it is still serious because it can allow a local unprivileged user to gain root-level access on vulnerable systems. The flaw was publicly disclosed on April 29, 2026, and has been assigned a CVSS 3.1 score of 7.8 High by kernel.org’s CNA listing in NVD. (NVD)
At a high level, CopyFail involves a kernel logic flaw introduced through an optimization dating back to 2017. CERT-EU describes the issue as originating in an in-place optimization in the Linux kernel’s algif_aead module, where page-cache pages could be placed into a writable destination scatterlist. When chained with AF_ALG and splice(), the vulnerability can permit a local user to corrupt page-cache-backed memory in a way that may affect privileged binaries. (CERT-EU)
The name CopyFail is fitting because the bug sits in the dangerous space where the kernel is trying to optimize how data is copied or handled internally. Instead of safely separating source and destination memory operations, the flawed logic allows data handling behavior that can be abused. The eventual upstream correction effectively reverses the risky optimization and returns the affected operation to a safer out-of-place model. NVD’s description summarizes the kernel fix as “crypto: algif_aead – Revert to operating out-of-place,” noting that the complexity added for in-place operation was removed. (NVD)
Why CopyFail Matters
CopyFail matters because local privilege escalation vulnerabilities are often the second stage of real-world attacks. An attacker may first gain limited access through phishing, a stolen SSH key, a compromised web application, a vulnerable service, a malicious container workload, or a low-privileged user account. Once inside, a local privilege escalation bug can turn that limited foothold into full administrative control.
That is what makes this vulnerability especially concerning. On ordinary Linux hosts, successful exploitation can allow a local user to become root. On servers running container workloads, the concern is broader: a malicious or compromised containerized workload may be able to use the host kernel as an attack surface. Ubuntu specifically notes that on non-container hosts, the vulnerability allows a local user to elevate to root, while in container deployments it may facilitate container escape scenarios where potentially malicious workloads are executed. (Ubuntu)
This is especially important for:
Shared hosting providers
Multi-user Linux servers
University and research systems
CI/CD runners
Build farms
Kubernetes worker nodes
Cloud servers running untrusted workloads
Container platforms
Developer workstations
Internet-facing Linux systems where a separate vulnerability could provide initial access
The danger is not that an unauthenticated attacker can exploit it directly from the internet. The danger is that once an attacker gets any local execution path, CopyFail may give them a much faster route to root.
Who Is Affected?
CopyFail affects a wide range of Linux systems using kernels derived from affected versions. CERT-EU states that the vulnerability affects mainstream Linux distributions shipping kernels built since 2017, and directly verified distributions include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16. It also lists Debian, Arch Linux, Fedora, Rocky Linux, AlmaLinux, Oracle Linux, and embedded Linux distributions as implicitly affected when running vulnerable kernels. (CERT-EU)
NVD’s affected kernel ranges include Linux kernel versions from 4.14 onward across multiple stable branches, with fixed versions varying by branch, including fixes such as 5.10.254, 5.15.204, 6.1.170, 6.6.137, 6.12.85, 6.18.22, and 6.19.12. That means administrators should not rely only on the major version number; they should check the exact kernel package and their distribution’s security advisory. (NVD)
Ubuntu reports that all Ubuntu releases before Resolute 26.04 are affected and that mitigations have been released through the kmod package to disable the vulnerable module while kernel packages with the proposed patch are released. (Ubuntu) AlmaLinux states that every supported AlmaLinux release is affected and that patched kernels were being prepared using the upstream fix. (AlmaLinux OS) Amazon Linux listed affected kernel packages for Amazon Linux 2 and Amazon Linux 2023 as pending fixes as of its advisory page. (Amazon Explore)
Why the Risk Is Higher Than the CVSS May Suggest
Some vendor advisories may rate this vulnerability differently, especially because it requires local access. Amazon Linux, for example, listed a CVSS score of 5.5 Medium on its advisory page, while kernel.org’s CNA score in NVD is 7.8 High. (Amazon Explore) This difference is not unusual. CVSS scoring often struggles to capture operational risk in environments where local code execution is easy to obtain, such as shared systems, container platforms, developer environments, and CI/CD infrastructure.
For a single-user laptop that is fully patched, has no untrusted local users, and does not run containers, the practical risk may be lower. For a Kubernetes node, shared shell server, build runner, or hosting platform, the risk is much higher. Any system that allows users, customers, developers, jobs, or containers to execute code should treat CopyFail as urgent.
How to Mitigate CopyFail
The best mitigation is to install a fixed kernel from your Linux distribution and reboot into it. Kernel updates do not protect the system until the vulnerable kernel is no longer running. After patching, administrators should confirm the active kernel with a command such as:
uname -r
Then compare that running kernel against the fixed version listed by the distribution.
Where a fixed kernel is not yet available, administrators should apply vendor-provided interim mitigations. Ubuntu’s mitigation disables the affected Linux kernel module through the kmod package, though Ubuntu also warns that disabling the module may affect applications using hardware-accelerated cryptography and that a reboot may be required for some applications to fall back cleanly. (Ubuntu)
A practical mitigation plan should look like this:
- Inventory affected systems. Identify all Linux servers, workstations, containers hosts, CI runners, and appliances running kernels from affected branches.
- Prioritize exposed multi-user and workload-hosting systems. Patch Kubernetes nodes, shared servers, build farms, hosting systems, jump boxes, and developer platforms first.
- Apply distribution updates. Use the official kernel packages from Ubuntu, Red Hat, AlmaLinux, Amazon Linux, SUSE, Debian, Fedora, Rocky, Oracle, Arch, or your relevant vendor.
- Reboot. Confirm that the patched kernel is actually running. A patched package sitting on disk does not fix a live vulnerable kernel.
- Apply interim module mitigations where available. Use the vendor’s mitigation rather than ad hoc changes whenever possible.
- Restrict untrusted local execution. Until patched, avoid running untrusted containers, CI jobs, shell users, plugins, or third-party workloads on vulnerable systems.
- Review container isolation assumptions. Containers share the host kernel. A kernel LPE is therefore more dangerous in containerized environments than many administrators realize.
- Monitor for suspicious local privilege escalation behavior. Look for unexpected root shells, unusual modification attempts around setuid binaries, suspicious use of scripting runtimes, and abnormal behavior from low-privileged accounts or containers.
Detection and Response Considerations
Because CopyFail is a local privilege escalation issue, detection should focus on suspicious activity after initial access. Administrators should review logs for unexpected privilege changes, abnormal execution of setuid binaries, unusual shell activity, and strange behavior from accounts or containers that should not be performing administrative actions.
Security teams should pay special attention to systems where untrusted code execution is normal: CI/CD runners, build systems, student shells, developer sandboxes, container clusters, and hosted application environments. These systems often blur the line between “local access” and “attacker access” because many different users or jobs may legitimately execute code.
If exploitation is suspected, treat the host as potentially compromised at the root level. That means ordinary file cleanup is not enough. Preserve evidence where possible, isolate the system, rotate credentials that may have been exposed, redeploy from trusted images, and verify that persistence mechanisms were not installed.
Bottom Line
CopyFail is not just another kernel CVE buried in a patch cycle. It is a high-impact local privilege escalation vulnerability in the Linux kernel, affecting a broad range of systems built on kernels dating back to 2017. It is especially important for multi-user systems, container hosts, CI/CD environments, and any Linux machine where untrusted users or workloads can run code.
The core response is straightforward: patch the kernel, reboot, confirm the running version, and restrict untrusted local execution until fixed. For organizations running Linux at scale, CopyFail should be treated as an urgent infrastructure vulnerability, not merely a routine endpoint update.