VU#260001: Linux kernel contains local privilege escalation vulnerability (Copy Fail)
A new privilege escalation vulnerability, named "Copy Fail," has been found in Linux kernels 4.17 and later. This flaw, assigned CVE-2026-31431, allows local users to gain root access. The vulnerability stems from a logic error within the algif_aead module, used for authenticated encryption. An unprivileged user can write four controlled bytes to the page cache of any readable file. This in-memory modification can bypass integrity checks; the file remains unchanged on disk. Attackers can exploit this by targeting a setuid binary, altering its in-memory contents to escalate privileges. A public Python proof-of-concept exists, increasing the risk of exploitation. The solution involves applying upstream kernel patches that revert AEAD operations. Users should update their Linux distributions as soon as updates are available. Workarounds include disabling the algif_aead module or blacklisting its initialization. Containerized environments require additional mitigations like seccomp filtering, AppArmor policies, or eBPF-based enforcement. Virtualization does not allow the bug to be leveraged for host escape, due to memory isolation. The vulnerability was discovered by Theori and documented by Bob Kemerer and Vijay Sarvepalli.