Technical Tip: How Lacework FortiCNAPP protects from CVE-2026-31431, Linux Kernel 'Copy Fail' Local Privilege Escalation Vulnerability

Description

This article describes a Local Privilege Escalation (LPE) vulnerability in the Linux kernel (CVE-2026-31431), codenamed 'Copy Fail', that allows an unprivileged local user to gain full root access on virtually any Linux distribution shipped since 2017. The vulnerability was disclosed publicly on April 30, 2026 by researchers at Xint.io and Theori, and carries a CVSS score of 7.8 (High).

The vulnerability exists in the kernel's cryptographic subsystem, specifically the algif_aead module, which exposes Authenticated Encryption with Associated Data (AEAD) operations to userspace via the AF_ALG socket interface. A 2017 optimization that allowed AEAD operations to run 'in-place' introduced a logic flaw that lets a page-cache page belonging to a file the user does not own end up in the writable destination of a kernel crypto operation.

By abusing this flaw, an unprivileged local user can write four attacker-controlled bytes into the page cache of any readable file on the system - including setuid binaries such as /usr/bin/su. A proof-of-concept Python exploit roughly 732 bytes in size is sufficient to corrupt the cached copy of a setuid binary and execute arbitrary code as root. Because the page cache is shared across all processes on the host, the same primitive also breaks out of containers, affecting any tenant on a shared kernel.

Scope

Affected versions:

The vulnerable code was introduced in upstream Linux kernel commit 72548b093ee3 (August 2017) and is present in essentially every mainline kernel released since. All major distributions are affected and have published their own advisories:

• Amazon Linux

• Debian

• Red Hat Enterprise Linux (RHEL)

• SUSE Linux Enterprise

• Ubuntu

Affected kernel component:

• algif_aead — the AF_ALG userspace interface for AEAD ciphers (e.g., authenc(hmac(sha256),cbc(aes))).

Attack vector: Local — an unprivileged user account with the ability to open an AF_ALG socket.

Potential impact: Full root privilege escalation, container escape on hosts with shared kernels, and tampering with setuid binaries.

In-depth information can be found at:

• NVD - CVE-2026-31431

• Copy Fail - Official Disclosure (Xint.io / Theori)

• The Hacker News - New Linux 'Copy Fail' Vulnerability Enables Root Access

Solution

Lacework FortiCNAPP automatically detects affected hosts and container images running vulnerable kernel versions on Debian, Red Hat Enterprise Linux (RHEL), and Ubuntu via the Vulnerability Management Component. FortiCNAPP will also detect Potentially Compromised Hosts exhibiting suspicious privilege escalation or page-cache tampering behavior via Composite Alerts and Polygraph.

To mitigate this vulnerability, administrators should update the Linux kernel to a patched version provided by their distribution and reboot affected systems. The upstream fix reverts the 2017 in-place optimization in algif_aead, restoring out-of-place operation. If no patch is available yet for the distribution in use, follow the interim mitigation guide below.

Patch availability:

Patching guidance (where patches are available):

On distributions with patches available, use the system's package manager to upgrade the kernel packages to the latest version, then reboot the host to load the patched kernel. No additional configuration is required once the updated kernel is running.

Interim mitigation (where patching cannot be applied immediately, or no patch is available yet):

If the host does not require userspace access to kernel crypto via AF_ALG, the algif_aead module can be blacklisted to remove the attack surface entirely:

echo "blacklist algif_aead" | sudo tee /etc/modprobe.d/blacklist-algif_aead.confnsudo modprobe -r algif_aeadn

Note: Because the page cache is shared across containers running on the same kernel, patching the host kernel protects all containers on that host - patching individual container images is not sufficient. Multi-tenant Kubernetes nodes and shared CI runners should be prioritized.