CVE-2026-31431

Published Apr 22, 2026

Last updated 7 hours ago

Exploit knownCVSS high 7.8

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-31431, dubbed "Copy Fail," is a local privilege escalation (LPE) vulnerability found within the Linux kernel's cryptographic subsystem. Specifically, it stems from a logic flaw in the `algif_aead` module of the `AF_ALG` (userspace crypto API), which leads to improper memory handling during in-place operations. This flaw allows an unprivileged local user to perform a deterministic, controlled 4-byte write into the page cache of any readable file on the system, including setuid binaries. This vulnerability has been present in Linux kernels since 2017 and impacts a wide range of major distributions, including Red Hat, SUSE, Ubuntu, and Amazon Linux. Exploitation is described as reliable, not requiring race conditions or kernel-specific offsets, and can be achieved with a small Python script. The in-memory corruption means the file on disk remains unchanged, and typical on-disk checksums would not detect the modification.

Description
In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.
Source
416baaa9-dc9f-4396-8d5f-8c081fb06d67
NVD status
Modified
Products
linux_kernel

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.8
Impact score
5.9
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Known exploits

Data from CISA

Vulnerability name
Linux Kernel Incorrect Resource Transfer Between Spheres Vulnerability
Exploit added on
May 1, 2026
Exploit action due
May 15, 2026
Required action
"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-669

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

1

  1. #CopyFail (CVE-2026-31431) 🔓 9 ans incognito dans le noyau #Linux ! Accès root local sans compétence technique. Ubuntu, RHEL, SUSE, Amazon Linux 2023 concernés. ✅ Patch dispo depuis le 01/04/26 ✅ Ou désactiver algif_aead #Cybersécurité #SysAdmin https://t.co/2VOpZ

    @capensis_sas

    4 May 2026

    49 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Top 5 Trending CVEs: 1 - CVE-2026-31431 2 - CVE-2026-41940 3 - CVE-2026-3910 4 - CVE-2024-20359 5 - CVE-2024-20353 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    3 May 2026

    120 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Top 5 Trending CVEs: 1 - CVE-2026-31431 2 - CVE-2021-3156 3 - CVE-2025-14847 4 - CVE-2024-27867 5 - CVE-2024-11182 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    2 May 2026

    187 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🔴 CVE-2026-31431 (High) affects Linux vendors: In the Linux kernel, the following vulnerability has been resolved: ✅ HAS FIX: Debian 14 Echo ❌ NO FIX YET: AlmaLinux 9 Alpine (all versions) Amazon Linux 2, 2023 Debian 11, 12, 13 Fedora (all versions) Oracle Linux 5-10 Re

    @MeniTasa

    1 May 2026

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. 🚨 Critical Linux Kernel Vulnerability: CVE-2026-31431 (“Copy Fail”) A 732-byte Python script → root access on most Linux distros since 2017. Impact Works on: Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, SUSE 16 Discovered by Taeyang Lee at Theori using Xint Code #Linu

    @cveplayground

    30 Apr 2026

    1 Impression

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

Configurations

Related CVEs

  1. In the Linux kernel, the following vulnerability has been resolved: wifi: rt2x00usb: fix devres lifetime USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes). Fix the USB anchor lifetime so that it is released on driver unbind.CVE-2026-31672
  2. In the Linux kernel, the following vulnerability has been resolved: xfrm_user: fix info leak in build_report() struct xfrm_user_report is a __u8 proto field followed by a struct xfrm_selector which means there is three "empty" bytes of padding, but the padding is never zeroed before copying to userspace. Fix that up by zeroing the structure before setting individual member variables.CVE-2026-31671
  3. In the Linux kernel, the following vulnerability has been resolved: net: rfkill: prevent unlimited numbers of rfkill events from being created Userspace can create an unlimited number of rfkill events if the system is so configured, while not consuming them from the rfkill file descriptor, causing a potential out of memory situation. Prevent this from bounding the number of pending rfkill events at a "large" number (i.e. 1000) to prevent abuses like this.CVE-2026-31670
  4. In the Linux kernel, the following vulnerability has been resolved: mptcp: fix slab-use-after-free in __inet_lookup_established The ehash table lookups are lockless and rely on SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability during RCU read-side critical sections. Both tcp_prot and tcpv6_prot have their slab caches created with this flag via proto_register(). However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into tcpv6_prot_override during inet_init() (fs_initcall, level 5), before inet6_init() (module_init/device_initcall, level 6) has called proto_register(&tcpv6_prot). At that point, tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab remains NULL permanently. This causes MPTCP v6 subflow child sockets to be allocated via kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab cache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so when these sockets are freed without SOCK_RCU_FREE (which is cleared for child sockets by design), the memory can be immediately reused. Concurrent ehash lookups under rcu_read_lock can then access freed memory, triggering a slab-use-after-free in __inet_lookup_established. Fix this by splitting the IPv6-specific initialization out of mptcp_subflow_init() into a new mptcp_subflow_v6_init(), called from mptcp_proto_v6_init() before protocol registration. This ensures tcpv6_prot_override.slab correctly inherits the SLAB_TYPESAFE_BY_RCU slab cache.CVE-2026-31669
  5. In the Linux kernel, the following vulnerability has been resolved: seg6: separate dst_cache for input and output paths in seg6 lwtunnel The seg6 lwtunnel uses a single dst_cache per encap route, shared between seg6_input_core() and seg6_output_core(). These two paths can perform the post-encap SID lookup in different routing contexts (e.g., ip rules matching on the ingress interface, or VRF table separation). Whichever path runs first populates the cache, and the other reuses it blindly, bypassing its own lookup. Fix this by splitting the cache into cache_input and cache_output, so each path maintains its own cached dst independently.CVE-2026-31668

References

Sources include official advisories and independent security research.