CybersecurityVulnerability Management

Linux Flaw Exposes Millions to Local Privilege Escalation

Analyst 207||Source: Unit42
Close-up of Linux server room with a single workstation and equipment in sharp focus under soft daylight.

On April 29, 2026, researchers publicly disclosed a highly reliable local privilege escalation vulnerability tracked as CVE-2026-31431.

How the Copy Fail vulnerability works inside AF_ALG and algif_aead

Copy Fail is a deterministic logic flaw in the Linux kernel's cryptographic subsystem. It resides in the algif_aead module of the AF_ALG user-space crypto API and traces to three independent changes: the addition of the authencesn algorithm in 2011, AEAD support for AF_ALG in 2015, and a 2017 in-place optimization (commit 72548b093ee3) that made req->src and req->dst point to a combined scatterlist.

That 2017 optimization caused page cache pages produced by splice() to be improperly chained into a writable destination scatterlist. The authencesn algorithm uses the caller's destination buffer as a scratch pad and writes four controlled bytes past the legitimate output region, crossing a chained scatterlist boundary and failing to restore the overwritten bytes. An attacker misusing the AF_ALG socket interface and splice() can therefore direct a four-byte overwrite into the kernel's file page cache.

What an attacker can do: targeting the page cache of setuid binaries

The exploit allows an unprivileged local attacker to target the in-memory page cache for readable setuid-root binaries such as /usr/bin/su, sudo or passwd. By controlling the Associated Authenticated Data (AAD) bytes 4–7 (the seqno_lo value) in a sendmsg() call, an attacker controls the exact four-byte overwrite value. The attacker also controls where the overwrite lands by manipulating the splice offset, splice length and assoclen parameters, allowing precise targeting of the .text section of a setuid binary to inject shellcode.

Because the corruption occurs in RAM only, physical files on disk remain unchanged. The corrupted page will be evicted or cleared on reboot and the binary reloads clean from disk, leaving no persistent artifact on disk and bypassing typical file-integrity checks that inspect the filesystem.

Scope, affected kernels and impacted environments

Copy Fail affects Linux kernels between 4.14 and 6.19.12 and therefore impacts "virtually all major Linux distributions shipped since 2017," the researchers said. The source lists affected distributions explicitly: Ubuntu, Amazon Linux, Red Hat Enterprise Linux, Debian, SUSE and AlmaLinux — a set the advisory says represents millions of systems.

The advisory highlights broad operational impacts: because the kernel and its page cache are shared across a node, an attacker can break out of Kubernetes containers, overtake multi-tenant hosts and compromise CI/CD pipelines running on vulnerable kernels.

Why this vulnerability is unusually severe

  • Deterministic exploit: The bug is a straight-line logic flaw that does not rely on race conditions or guessing kernel offsets.
  • High reliability: The exploit is said to work on the first attempt, with "100% reliability" in tests.
  • Portability and ease: A standalone 732-byte Python script using only standard libraries (os, socket, zlib) can exploit the flaw unmodified across distributions.
  • Stealthy persistence: Because the modification is in-memory only, it evades file-system integrity tools and leaves no on-disk trace once the page is evicted or the system reboots.
  • Upstream fix: The flaw was addressed in upstream stable branches by reverting the flawed 2017 optimization (commit a664bf3d603d), returning the module to out-of-place operation so source and destination scatterlists remain separate.

Mitigation, vendor guidance and what teams should do now

Palo Alto Networks' Unit 42 strongly urges applying vendor-issued kernel updates immediately. Where immediate patching is infeasible, the advisory recommends disabling the vulnerable algif_aead module as an interim mitigation by running these commands as root to block loading and remove the module from the running kernel:

  • echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
  • rmmod algif_aead

The Linux Foundation has posted an advisory with mitigation details for CVE-2026-314331. Unit 42 also notes that a proof-of-concept script is publicly available and that preliminary testing activity has been observed. Palo Alto Networks offers protections and hunting guidance via Cortex XDR, XSIAM, Cortex Cloud and Managed Threat Hunting XQL queries, and recommends engaging the Unit 42 Incident Response team for compromise response or proactive assessment.

What this means for technologists, CI/CD teams, and multi-tenant host operators

  • Technologists and security teams: Patch kernels to versions incorporating the upstream revert (commit a664bf3d603d) or apply the interim module block; use the Unit 42 XQL hunting guidance if Cortex XDR/XSIAM is in use.
  • CI/CD and cloud platform operators: Treat build agents and shared runners as high-risk; the advisory explicitly warns about compromising CI/CD pipelines and cloud-native multi-tenancy.
  • Multi-tenant host operators: Be aware that node-level page cache sharing enables lateral movement and privilege escalation across containers and VMs on the same host.

For organizations concerned about exposure, Unit 42 provides contact channels for incident response engagement and ongoing Managed Threat Hunting. The advisory's core, unambiguous instruction is simple: apply vendor kernel updates now, or disable algif_aead until you can.

Original Palo Alto Networks Unit 42 advisory

Emerging ThreatsLinuxPrivilege EscalationVulnerabilityLinux KernelLocal Privilege EscalationCVE-2026-31431Algif_aeadAF_ALG
Related Intelligence

Continue Reading

Close-up of a smartphone's circuit board with blurred background, components out of focus.

BootROM Exploit Targets Millions of iPhones

Millions of iPhones are vulnerable to a newly discovered BootROM exploit, known as "usbliter8", that can't be fixed with software updates because it's embedded in the device's hardware. This means iPhones with A12 and A13 processors will be at risk for the rest of their lifespan.

Analyst 207
Blurred laptop screen on office table surrounded by coworkers.

AI Agents Emerge as Unchecked Identities in Enterprise Security

The equation for enterprise security is no longer simple: with AI agents now connected to critical business services, controlling identities is no longer enough to control risk. These emerging insiders have quietly become privileged - and potentially invisible - attack paths that security and identity programs must urgently address.

Analyst 207
Security analysts work at computer workstations and a large wall screen in a brightly-lit operations center.

AI Shifts Threat Management from Reactive to Proactive Stance

With a sprawling security stack of 40+ tools, enterprise teams are drowning in overlapping alerts and manual handoffs, leaving gaping holes for adversaries to exploit. This disjointed approach leaves teams scrambling to respond to threats, with attackers enjoying a lengthy 43-day window to wreak havoc.

Analyst 207
Windows desktop with Recycle Bin open, showing a file and a confirmation dialog with a partially obscured filename.

Microsoft Updates Trigger Recycle Bin Filename Glitch

Microsoft just revealed a frustrating glitch in the Recycle Bin that displays a confusing filename when you permanently delete an item, showing a cryptic code instead of the file's original name. Luckily, the issue only affects the deletion confirmation dialog and doesn't change the file's name in the Recycle Bin or when it's restored.

Analyst 207