Linux ‘Copy Fail’ (CVE-2026-31431): A 732-Byte Script That Roots Any Linux Server — Patch Now

A 732-byte Python script is all it takes to become root on virtually any Linux system in the world. That’s not a hypothetical — it’s the reality of CVE-2026-31431, nicknamed “Copy Fail,” a Linux kernel vulnerability that security firm Theori disclosed on April 29, 2026. CISA added it to its Known Exploited Vulnerabilities catalog on May 1. The mandatory remediation deadline for all US federal civilian agencies was May 15. If your Linux systems haven’t been patched, you’re running on borrowed time.

Copy Fail is the kind of vulnerability that keeps security teams up at night: it’s reliable (no race conditions, no address leaks required), universal (affects every major Linux distribution since kernel 4.9, dating back to 2017), and root-escalating (takes any unprivileged local user straight to root). It affects millions of cloud Linux workloads, Kubernetes clusters, VPS servers, and enterprise Linux deployments globally.

What Is “Copy Fail” and How Does It Work?

Copy Fail lives in the Linux kernel’s cryptographic subsystem — specifically in the algif_aead module of the AF_ALG interface, which is the kernel’s API that allows userspace applications to access hardware cryptographic accelerators.

The flaw is a logic error in how the module handles memory during in-place cryptographic operations. When data is both the input and output of an AEAD (Authenticated Encryption with Associated Data) operation, the module fails to properly validate memory boundaries. This lets an attacker trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system.

From that 4-byte write, an attacker can corrupt a specific file in ways that trigger a privilege escalation chain, ultimately landing them a root shell. The entire exploit is approximately 732 bytes of Python code. It’s not flashy; it’s methodical. And it works consistently across:

• Ubuntu 20.04, 22.04, 24.04
• Debian 11 and 12
• Red Hat Enterprise Linux 8 and 9 / CentOS
• Fedora (recent releases)
• Amazon Linux 2 and 2023
• Alpine Linux (container base image)
• Virtually any distro running kernel 4.9 through 6.8 unpatched

Why “No Race Condition” Changes Everything

Most local privilege escalation exploits have a dirty secret: they depend on timing. Race condition exploits require the attacker to win a CPU timing race between two kernel operations — something that requires repeated attempts and often fails in hardened environments or on busy multi-core systems.

Copy Fail has no race condition. It’s deterministic. You run the script, you get root. Every time. On every affected system. This makes it dramatically more dangerous in real-world attack scenarios: there’s no retry loop, no timing sensitivity, no indication of failure that might trigger security monitoring alerts. An attacker who gains any unprivileged foothold on a vulnerable system — through a web shell, a compromised service account, a phishing email that runs a payload — can instantly escalate to full root access.

In cloud and container environments, where multi-tenant systems share kernel resources, this is particularly dangerous. A container escape combined with Copy Fail could give an attacker root on the underlying hypervisor or node — potentially affecting all workloads running on that host.

The Scale of Exposure: Millions of Systems

Microsoft’s security blog estimated that Copy Fail affects “a significant portion of cloud Linux workloads and millions of Kubernetes clusters.” That’s not hyperbole. Consider:

• Linux powers approximately 90% of cloud servers globally
• The affected kernel versions have been in use since 2017 — that’s 9 years of deployment
• Many production Linux systems run LTS (Long-Term Support) kernels and receive infrequent updates
• Container base images based on Alpine, Ubuntu, or Debian inherit the host kernel’s vulnerability

Cloudflare published a post-mortem on how they responded to Copy Fail internally — noting that their massive distributed infrastructure required a carefully staged patching rollout to avoid service disruptions. OVHcloud published guidance for their managed Kubernetes clusters. The patch availability from Ubuntu, Red Hat, Debian, and other major distros came within days of disclosure — but applying patches to production Linux systems is rarely instantaneous.

How to Check If You’re Vulnerable

To check your kernel version and assess exposure, run:

# Check kernel version
uname -r

# If running 4.9 through 6.8, check if patch is applied
grep -r "algif_aead" /proc/kallsyms | head -5

# Check if AF_ALG is enabled in your kernel config
cat /boot/config-$(uname -r) | grep CONFIG_CRYPTO_USER_API_AEAD

Patched kernel versions include 6.6.90, 6.12.27, and 6.14.4 (and later). Most major distributions have released updated packages — check your distro’s security advisory for the specific package version that includes the fix.

Mitigations If You Can’t Patch Immediately

If immediate kernel patching isn’t feasible (common in production environments with change control requirements), there are several workarounds:

• Disable AF_ALG module: modprobe -r algif_aead — prevents the vulnerable code path from being accessed (verify this doesn’t break any application dependencies first)
• Use seccomp profiles: Blocking the AF_ALG socket family via seccomp will prevent exploitation in containerized workloads
• Enable kernel live patching: RHEL’s kpatch, Ubuntu’s Livepatch, or SUSE’s kGraft can apply fixes without rebooting
• Restrict local user access: Copy Fail requires local code execution — minimizing the attack surface by locking down what can run on affected systems reduces risk

The Broader Pattern: Linux Kernel Privilege Escalation Is a Repeat Problem

Copy Fail follows a pattern that security researchers have seen repeatedly. The Linux kernel’s complexity — it contains over 30 million lines of code — means there are inevitably subtle logic flaws in subsystems that rarely receive security scrutiny. The cryptographic API, network subsystems, and driver interfaces are all vectors that have produced exploitable vulnerabilities in recent years.

Earlier this year, Dirty Frag (CVE-2026-43284) gave root access on every major Linux distribution. Before that, there was a series of kernel exploits affecting eBPF implementations. The pattern is clear: the Linux kernel’s surface area is vast, its security review resources are finite, and sophisticated researchers — and attackers — will keep finding flaws.

The answer isn’t to abandon Linux — there’s no viable alternative for cloud infrastructure. The answer is faster patching cycles, better kernel hardening defaults, and security monitoring that doesn’t assume the kernel is trustworthy. Copy Fail is a reminder that your security posture is only as strong as your most recently patched kernel.

Sources: CybersecurityNews — Copy Fail exploited | Microsoft Security Blog — CVE-2026-31431 | Bugcrowd — Copy Fail analysis | Cloudflare — Mitigation post-mortem