CVE-2026-31431 Copy Fail — Linux LPE, patch now

CVE-2026-31431, nicknamed Copy Fail, is a local privilege escalation (LPE) in the Linux kernel. Disclosed 29 April 2026. A working PoC exploit is publicly available. CISA has added CVE-2026-31431 to the Known Exploited Vulnerabilities catalog; federal agencies must patch by 15 May 2026. Microsoft, Canonical, and AlmaLinux have all published advisories. Patches are available for every major distribution. CVSS score: 7.8 High.

Patch first. Read the rest after.

What algif_aead is

algif_aead is the kernel's AEAD (Authenticated Encryption with Associated Data) socket interface under AF_ALG. It lets userspace programs call kernel crypto operations — AES-GCM, ChaCha20-Poly1305, and similar authenticated ciphers — through a socket API without needing privileges. The interface exists so that tools like OpenSSL can offload crypto to kernel implementations or hardware accelerators without running as root.

The key point: algif_aead is reachable by unprivileged users. No CAP_SYS_ADMIN required to open the socket. That is what makes this bug exploitable from a normal user account.

How the CVE-2026-31431 exploit works

The vulnerability is a logic error in the authencesn cryptographic template, triggered through the algif_aead kernel socket interface.

When a user submits a splice-based crypto request, authencesn uses a scratch byte at dst[assoclen + cryptlen] to rearrange ESN bytes for encryption. Because algif_aead chains page-cache pages directly into the destination scatter list for performance, that scratch byte write lands in a page-cache page — a page that backs a file on disk.

An attacker who controls the input can direct the write to the page-cache version of a setuid binary such as /usr/bin/su. The in-memory copy of the binary is modified. The on-disk file is not changed, but the kernel runs the in-memory version. The result: arbitrary code running as root.

Any local user with access to AF_ALG sockets can trigger this. No CAP_SYS_ADMIN required.

Affected kernel versions

Kernels from 4.14 through 6.17 are affected. The bug was introduced in 2017 with a commit to the AEAD code. Fixed mainline versions are 7.0, 6.19.12, and 6.18.22. Long-term support branches for 5.10, 5.15, 6.1, 6.6, 6.12, 6.18, and 6.19 each carry their own backported fix.

Distribution-specific affected ranges:

• Ubuntu 22.04 LTS (Jammy): check the Ubuntu CVE tracker at ubuntu.com/security/CVE-2026-31431 for the current fixed kernel version
• Ubuntu 24.04 LTS (Noble): check the Ubuntu CVE tracker at ubuntu.com/security/CVE-2026-31431 for the current fixed kernel version
• AlmaLinux 8: kernels before 4.18.0-553.121.1.el8_10
• AlmaLinux 9: kernels before 5.14.0-611.49.2.el9_7
• RHEL 8/9: same family as AlmaLinux, check your errata channel
• Debian 12 (Bookworm): kernels before 6.1.170-1

If you are running a self-compiled or upstream kernel between 5.1 and 6.12, you need the patch from kernel.org directly — your distribution packages will not cover custom builds.

How to patch

Ubuntu:

sudo apt update && sudo apt upgrade linux-image-generic
sudo reboot

AlmaLinux / RHEL / Rocky:

sudo dnf update kernel
sudo reboot

Debian:

sudo apt update && sudo apt upgrade linux-image-amd64
sudo reboot

A reboot is required. The patched kernel must be running — updating the package alone does not close the vulnerability.

How to verify you are patched

After rebooting, check the running kernel version:

uname -r

Compare the output against the fixed versions listed above. If the version is equal to or greater than the fixed version for your distribution, you are covered.

For Ubuntu, you can also confirm the package changelog:

apt-cache show linux-image-$(uname -r) | grep CVE-2026-31431

If the CVE appears in the changelog with a fix marker, the running kernel includes the patch.

Workaround if you cannot patch immediately

The standard advice of blocking the module via modprobe.d does not apply here. On most distributions, algif_aead is compiled into the kernel (CONFIG_CRYPTO_USER_API_AEAD=y) rather than built as a loadable module. Entries in /etc/modprobe.d/ cannot block built-in code, and rmmod will return silently without closing the attack surface.

Check whether algif_aead is built-in on your system:

grep CONFIG_CRYPTO_USER_API_AEAD /boot/config-$(uname -r)

If the output is CONFIG_CRYPTO_USER_API_AEAD=y, the module is built-in and cannot be unloaded.

The only reliable mitigation short of patching is to restrict access to AF_ALG sockets using seccomp or AppArmor policies that block the socket(AF_ALG, ...) call for unprivileged users. This is complex to deploy correctly and is not a substitute for patching.

Schedule a maintenance window and patch. The PoC is public and the exploitation path is well documented.

What to do on cloud and Kubernetes environments

On cloud VMs, the patch is applied by the host kernel update — update the kernel package and reboot the instance. For managed Kubernetes node pools (GKE, EKS, AKS), check whether your node image version predates the fixed kernel. Most managed providers have pushed updated node images; rolling your node pool to the latest image is the equivalent of a kernel upgrade.

For self-managed Kubernetes nodes, treat this the same as a bare-metal kernel update. Drain the node, patch, reboot, uncordon.

For container-level vulnerability scanning, Trivy 0.70.0 covers kernel CVE detection. If you run Wazuh for SIEM, Wazuh 5.0 adds detection rules for privilege escalation attempts.

Read the Microsoft advisory, the Ubuntu blog post, and the AlmaLinux advisory for distribution-specific guidance and additional detection indicators.