Pierluigi Paganini
April 30, 2026
Xint Code researchers warn of a serious Linux flaw, tracked as CVE-2026-31431 (CVSS score of 7.8), dubbed Copy Fail. It lets any local, unprivileged user write four controlled bytes into the page cache of any readable file, enabling escalation to root on major distributions.
The bug combines AF_ALG and splice() to write 4 bytes into the page cache of any readable file. A 732-byte script can modify a setuid binary in memory, without changing the file on disk, making detection difficult. The issue affects major distributions like Ubuntu, RHEL, SUSE, and Amazon Linux, and can even cross container boundaries due to shared page cache.
“Copy Fail (CVE-2026-31431) is a logic bug in the Linux kernel’s authencesn cryptographic template. It lets an unprivileged local user trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system.” reads the report published by Xint Code. “A single 732-byte Python script can edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017.“
Copy Fail exploits a kernel logic flaw where corrupted page‑cache data is never marked dirty, leaving disk files unchanged while the in‑memory version is silently altered. Because the page cache is what processes read, an unprivileged user can corrupt a setuid binary’s cached page and gain root. The shared cache also lets the attack cross container boundaries. The bug, surfaced through AI‑assisted analysis of crypto‑subsystem behavior, is portable, tiny, race‑free, and stealthy, unlike Dirty Cow or Dirty Pipe. It works across major distros and architectures and forms the basis for both local privilege escalation and Kubernetes container escapes.
The bug starts in AF_ALG, which lets any user access the kernel crypto subsystem without privileges. Attackers use splice() to map file page cache pages directly into a crypto scatterlist, so operations act on real file-backed memory. During AEAD decryption, the kernel sets the operation in-place, mixing user buffers with page cache pages in one writable structure.
The authencesn algorithm breaks expectations: it uses the output buffer as scratch space and writes 4 bytes past the allowed boundary. In this setup, that write lands directly in the page cache of a chosen file. Attackers control the file, offset, and value, enabling precise memory corruption and privilege escalation.
This flaw emerged from combined changes over years, authencesn design, AF_ALG support, and a 2017 in-place optimization, creating a long-hidden but critical vulnerability.
The exploit targets /usr/bin/su, a common setuid-root binary on Linux systems.
/usr/bin/su as writable memory.execve("/usr/bin/su"). The kernel loads the modified version from the page cache instead of disk. Since su runs with setuid-root privileges, the injected code executes as root, giving full system control.The researchers published a demo showing the same 732-byte exploit run on four Linux distributions, where a normal user (uid 1001) consistently gains root access. Tested systems include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, covering kernel versions 6.12 to 6.18, all successfully compromised.
“If your kernel was built between 2017 and the patch — which covers essentially every mainstream Linux distribution — you’re in scope.” the researchers wrote. “Copy Fail requires only an unprivileged local user account — no network access, no kernel debugging features, no pre-installed primitives. The kernel crypto API (AF_ALG) ships enabled in essentially every mainstream distro’s default config, so the entire 2017 → patch window is in play out of the box.”
The researchers published a PoC to allow defenders to verify their own systems and validate vendor patches.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Linux)
