'Copy Fail' kernel flaw hands root to any local Linux user since 2017

A logic bug in the Linux kernel’s algif_aead cryptographic module, introduced by a 2017 in-place optimization commit, lets unprivileged local users write four controlled bytes into the page cache of any readable file. Tracked as CVE-2026-31431 with a CVSS of 7.8 and dubbed Copy Fail by Xint.io and Theori, the flaw is exploitable via a 732-byte Python script that opens an AF_ALG socket bound to authencesn(hmac(sha256),cbc(aes)), drives splice() into the kernel’s cached copy of /usr/bin/su, and then execs the modified setuid binary to run shellcode as root.

The primitive works on essentially every major distribution shipped since 2017 — Amazon Linux, RHEL, SUSE, and Ubuntu among them — and crosses container boundaries because the page cache is shared system-wide. Unlike many kernel LPEs, it requires no race window and no leaked kernel offsets, making exploitation deterministic across kernels.

Researchers compare it directly to Dirty Pipe (CVE-2022-0847): the same class of page-cache corruption primitive, just relocated to the AEAD socket subsystem. The combination of portability, tiny payload size, reliability, and container escape potential is what elevates the risk. Distributions have shipped advisories and patches; operators of multi-tenant Linux hosts and container platforms should treat patching as urgent.