Copy Fail (CVE-2026-31431): 732 Bytes to Root Threatens Linux and Cloud Workloads

Copy Fail (CVE-2026-31431) puts Linux and Kubernetes on high alert

A newly disclosed Linux kernel flaw dubbed Copy Fail and tracked as CVE-2026-31431 is rippling across data centers after U.S. CISA added it to the Known Exploited Vulnerabilities (KEV) catalog on May 1, 2026. The bug enables a trivially reliable local privilege escalation to root on most major Linux distributions released since 2017; a working proof-of-concept (PoC) is circulating publicly and weighs in at roughly 732 bytes. Patches and vendor mitigations began rolling out late last week, but fleet exposure remains high in multi-tenant and containerized environments. (nvd.nist.gov )

Why this matters now

• Cloud and container blast radius: Because containers share the host kernel, a single vulnerable node can allow a low-privileged process to escalate to root on the host, enabling lateral movement across clusters. Microsoft warns that millions of Kubernetes workloads could be exposed if hosts remain unpatched. (microsoft.com )
• Active exploitation signal: CISA’s KEV listing confirms exploitation in the wild and sets a remediation due date of May 15, 2026 for U.S. federal civilian agencies, underscoring urgency for all operators. (nvd.nist.gov )
• Breadth of impact: Reports and advisories indicate impact across Ubuntu, Red Hat Enterprise Linux, SUSE, Amazon Linux, and others; even Windows Subsystem for Linux 2 (WSL2) is reported as affected due to its Linux kernel underpinnings. (microsoft.com )

What the bug is and how it works

Researchers at Xint Code (Theori) uncovered a logic flaw in the Linux kernel’s cryptographic subsystem, specifically in the algif_aead interface exposed via AF_ALG. An optimization introduced years ago allowed certain in-place operations; by abusing AF_ALG in combination with the splice() system call, an unprivileged local user can perform a controlled four-byte write into the page cache of any readable file. In practice, this lets an attacker corrupt an in‑memory setuid binary (for example, /usr/bin/su), then execute it to obtain a root shell—no race conditions, kernel offsets, or distro-specific tweaks required. (microsoft.com )

The PoC is remarkably small, cross‑distro, and deterministic, making operationalization straightforward for threat actors once they achieve any local code execution (e.g., via a compromised service account, CI job, or container foothold). Microsoft’s analysis highlights how the technique can be executed entirely from user space using standard kernel interfaces, with no network access or special capabilities. (microsoft.com )

Timeline and status (as of May 3, 2026)

• April 22, 2026: Kernel patches land upstream; NVD publishes the entry and references kernel.org fix commits reverting the problematic in‑place behavior in algif_aead. (nvd.nist.gov )
• April 29, 2026: Public disclosure by Xint Code; PoC becomes widely available. (xint.io )
• April 30, 2026: Canonical details mitigations and begins pushing updates; Ubuntu classifies the issue as High priority with CVSS 7.8. (canonical.com )
• May 1, 2026: CISA adds CVE-2026-31431 to KEV, signaling observed exploitation; remediation due date set for May 15, 2026. (nvd.nist.gov )

Vendor responses are ongoing. Ubuntu has shipped user‑space mitigations (via kmod) that disable the affected module pending kernel updates; Red Hat has issued guidance for RHEL and OpenShift environments; SUSE has published advisories and blog guidance. (canonical.com )

Who is affected

Microsoft, Help Net Security, and distro trackers report impact across commonly deployed kernels from 2017 onward, including current releases of Ubuntu (e.g., 24.04 LTS), Amazon Linux 2023, RHEL 10.x, SUSE 16, plus derivatives. Operators should assume exposure if running unpatched kernels where AF_ALG/algif_aead is present. Some coverage also notes potential impact to WSL2 since it uses a Linux kernel. (microsoft.com )

Exploitation and detection

• Exploitation status: CISA’s KEV listing indicates real‑world exploitation. In addition, a public PoC repository from the discoverers demonstrates working exploits across multiple distros. (nvd.nist.gov )
• Defender visibility: Microsoft has published detection guidance and notes early testing activity; defenders should monitor for suspicious AF_ALG socket usage, splice() misuse, and anomalous page‑cache writes to privileged binaries. (microsoft.com )

Patches and mitigations

Upstream kernel patches revert the in‑place optimization in algif_aead. Distributions are backporting fixes; in the interim, several mitigations reduce exposure:

• Update immediately to vendor‑patched kernels as they become available. Track your distro’s advisories and apply updates across all fleet roles (including container hosts, CI runners, and bastion nodes). (nvd.nist.gov )
• Temporarily disable the affected kernel module (algif_aead) via kmod/update or modprobe rules until patched kernels are deployed. Canonical provides package updates and detailed steps; note potential performance/compatibility impacts for hardware‑accelerated crypto. (canonical.com )
• For high‑risk container platforms, treat any container RCE as potential host compromise; cordon, drain, and recycle vulnerable nodes after patching; enforce least‑privilege for service accounts and limit untrusted code execution paths. (microsoft.com )
• Review vendor‑specific guidance for managed Kubernetes/OpenShift stacks and hosted Linux services. (access.redhat.com )

Example Ubuntu mitigation (user‑space block of algif_aead):

# Install Canonical’s mitigation package or block module manually
sudo apt update && sudo apt install --only-upgrade kmod

# Manual block if needed
echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif_aead.conf
sudo rmmod algif_aead 2>/dev/null || true

These steps mitigate exposure until patched kernels are in place; a reboot may be required to ensure fallbacks to non‑accelerated crypto. (canonical.com )

How to prioritize and verify remediation

1. Inventory exposure

• Enumerate Linux kernel versions across servers, containers (host nodes), desktops/laptops, and CI/CD runners. Confirm whether AF_ALG/algif_aead is present or loaded. (canonical.com )

2. Patch and mitigate

• Roll out patched kernels per vendor guidance; where not yet available, apply user‑space/module blocks immediately and plan maintenance windows for kernel updates. Track SUSE, Ubuntu, and Red Hat advisories. (suse.com )

3. Monitor and hunt

• Watch for signals consistent with PoC activity, including unexpected AF_ALG socket creation and splice() patterns against privileged binaries; leverage vendor telemetry where available. (microsoft.com )

4. Validate

• Re‑scan hosts after patching; confirm algif_aead is disabled where mitigations are applied; regression‑test workloads that rely on hardware crypto. (canonical.com )

The bottom line

CVE-2026-31431 is a high‑reliability, low‑complexity path to root that collapses container boundaries and undermines multi‑tenant isolation if left unpatched. Upstream fixes are available; with CISA now flagging active exploitation and a tight federal remediation window through May 15, 2026, organizations should prioritize kernel updates or apply mitigations today—especially across Kubernetes and CI/CD infrastructure. (nvd.nist.gov )