A critical Linux kernel vulnerability named CVE-2026-31431, nicknamed Copy Fail CVE-2026-31431, was publicly disclosed on April 29, 2026. It affects virtually every Linux server running a kernel built since 2017. Any unprivileged local user can gain full root access with a 732-byte Python script. No race conditions. No special setup required. It works on Ubuntu, RHEL, Debian, AlmaLinux, Rocky Linux, SUSE, and Amazon Linux alike.
What Is Copy Fail CVE-2026-31431?
Copy Fail is a logic bug in the Linux kernel’s algif_aead module — part of the AF_ALG userspace crypto API. A flaw introduced via kernel commit 72548b093ee3 in 2017 allowed page-cache pages to end up in a writable destination scatterlist. An attacker chains an AF_ALG socket operation with splice() to write 4 controlled bytes into the page cache of any readable file on the system.
The kernel reads the page cache when loading binaries. So modifying the cached copy of a setuid binary like /usr/bin/su effectively rewrites it for execution. The attacker gets a root shell instantly. No disk write occurs. Standard file integrity checks will not catch it.
The CVSS 3.1 score is 7.8 (HIGH). It was discovered by researchers at Xint Code and added to the CISA Known Exploited Vulnerabilities catalog on May 1, 2026. Active exploitation is confirmed in the wild.
Am I Affected?
Run this on your server to check your kernel version:
uname -rAny version between 4.13 and 6.19.11 is vulnerable. That covers Ubuntu 18.04+, Debian 10+, RHEL/CentOS 8+, and all current AlmaLinux and Rocky Linux releases. Also check whether the module is currently loaded:
grep -qE '^algif_aead ' /proc/modules \
&& echo "VULNERABLE: module is loaded" \
|| echo "Module not loaded - still patch your kernel"Even if the module is not loaded right now, the kernel is still vulnerable. An attacker can load it at any time. Patch regardless.
Step 1 — Immediate Mitigation (No Reboot Needed)
Before scheduling a kernel update, block the vulnerable module right now. This stops the attack vector without any reboot:
# Block the module from loading
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
# Unload it if currently running
rmmod algif_aead 2>/dev/null || true
# Confirm it is gone
grep -qE '^algif_aead ' /proc/modules \
&& echo "WARNING: still loaded" \
|| echo "OK: module not loaded"This mitigation has no effect on dm-crypt/LUKS, kTLS, IPsec/XFRM, OpenSSL, GnuTLS, NSS, or SSH. First, verify nothing is actively using the module:
lsof | grep AF_ALGIf nothing appears, the mitigation is completely safe to apply right now.
Step 2 — Install the Patched Kernel
The official fix was merged into the mainline Linux kernel on April 1, 2026 (commit a664bf3d603d). It reverts the 2017 optimisation and returns AF_ALG AEAD to out-of-place operation. All major distributions have now shipped patched kernels. Follow the steps for your distribution below.
Ubuntu / Debian
sudo apt update && sudo apt upgrade -y
sudo rebootUbuntu 26.04 (Resolute) and later are not affected. For Ubuntu 24.04, 22.04, and 20.04 — patch now.
AlmaLinux / Rocky Linux / RHEL
sudo dnf clean metadata && sudo dnf upgrade -y
sudo rebootCentOS Stream / Fedora
sudo dnf upgrade --refresh -y
sudo rebootCloudLinux (cPanel Servers)
dnf update 'kernel-lts*' --enablerepo=cloudlinux-updates-testing
rebootKernelCare users on CloudLinux can apply a live patch — no reboot required:
kcarectl --update
kcarectl --patch-info | grep -i 'CVE-2026-31431'Step 3 — Verify the Patch
After rebooting, run these checks to confirm the patch is active:
# Confirm new kernel version
uname -r
# Confirm the module is blocked
modprobe algif_aead 2>&1 \
&& echo "WARNING: module loaded - check patch" \
|| echo "OK: module blocked"
# Check the blacklist file is present
cat /etc/modprobe.d/disable-algif.confOnce you are on a patched kernel, you can safely remove the blacklist file:
rm /etc/modprobe.d/disable-algif.conf
update-initramfs -u # Ubuntu/Debian
dracut --force # RHEL/AlmaLinux/RockyContainers and Kubernetes
Containers share the host kernel. Patching the host protects all containers running on it. However, Copy Fail can also facilitate container escape in multi-tenant environments. Therefore, patch the host kernel first. For Kubernetes clusters, drain and patch each node individually:
kubectl get nodes -o wide
kubectl cordon <node-name>
kubectl drain <node-name> --ignore-daemonsets --delete-emptydir-data
# Patch the node kernel and reboot, then:
kubectl uncordon <node-name>Also Patch: Dirty Frag (CVE-2026-43284)
Researchers disclosed a related vulnerability named Dirty Frag on May 7, 2026. Dirty Frag exploits a similar page-cache write primitive through the IPsec ESP modules (esp4, esp6) and the RxRPC protocol. Like Copy Fail, this flaw leads to root escalation. Notably, systems already patched for Copy Fail remain vulnerable to Dirty Frag. Block it now:
printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' \
> /etc/modprobe.d/disable-dirtyfrag.conf
rmmod esp4 esp6 rxrpc 2>/dev/null || trueThe current kernel updates for all major distributions fix both Copy Fail and Dirty Frag together. One update and one reboot covers both vulnerabilities.
Conclusion
Copy Fail CVE-2026-31431 is among the most serious Linux kernel vulnerabilities in recent years. A 732-byte script turns any local user into root on virtually every Linux server since 2017. The fix is simple — disable the module now, update the kernel, reboot. Do not delay. Also check our guide on recovering a Linux server after critical failures for more server hardening and recovery tips.