Question 1

What is CVE-2026-31431 (Copy Fail)?

Accepted Answer

CVE-2026-31431, dubbed 'Copy Fail', is a high-severity (CVSS 7.8) local privilege escalation vulnerability in the Linux kernel's cryptographic subsystem. Found in the AF_ALG interface, it affects all major distributions since 2017. A compact Python exploit (as small as 732 bytes) allows any unprivileged local user to gain root access 100% reliably, without race conditions, by corrupting the in-memory page cache of a setuid binary like /usr/bin/su.

Question 2

Can CVE-2026-31431 be exploited remotely?

Accepted Answer

No. The vulnerability requires local code execution as an unprivileged user. However, it becomes highly dangerous when combined with an initial access vector—stolen credentials, a compromised website with file upload, a malicious CI job, or a breached container. In shared hosting or VPS environments, a single customer can use Copy Fail to gain root and access all other accounts.

Question 3

Does Copy Fail enable container escape?

Accepted Answer

Yes. Because the Linux page cache is shared across containers and the host kernel, a Copy Fail exploit inside a container can corrupt the page cache of a setuid binary on the host, enabling complete container breakout. This makes it especially critical in Kubernetes clusters, container‑based VPS platforms, and shared hosting.

Question 4

What immediate mitigation should hosting providers apply?

Accepted Answer

For RHEL-family systems (CloudLinux, AlmaLinux) where AF_ALG is built in, use: grubby --update-kernel=ALL --args='initcall_blacklist=algif_aead_init' and reboot. For Debian-family systems where it's a loadable module: echo 'install algif_aead /bin/false' > /etc/modprobe.d/disable-algif-aead.conf and rmmod algif_aead. After applying, verify with a Python AF_ALG socket test. This mitigation does not affect common services like dm-crypt, SSH, IPsec, or standard OpenSSL/GnuTLS.

Question 5

Are live patches available for CVE-2026-31431?

Accepted Answer

Yes. KernelCare has released a live patch that is delivered automatically to subscribed systems without a reboot. CloudLinux and AlmaLinux have also made patched kernels available via standard testing/production repositories. The fix is based on three upstream commits that correct the improper use of source and destination scatterlists in AF_ALG AEAD operations.

Question 6

How can I check if my website or server was affected?

Accepted Answer

Because Copy Fail modifications happen only in volatile memory, there is no on‑disk evidence. Providers should check access logs for unusual su/sudo usage from unprivileged accounts and look for new SSH keys or cron jobs—potential persistence mechanisms. End users should monitor for unexpected admin accounts, new FTP users, rogue email forwarders, and unexplained file changes. If a server was running a vulnerable kernel, assume credential compromise and rotate all passwords immediately.

Critical Linux Kernel Vulnerability CVE-2026-31431 (Copy Fail): Pre- and Post-Incident Measures for Hosting Providers and End Users

Critical cPanel/WHM Vulnerability CVE-2026-41940: Pre- and Post-Incident Measures for Hosting Providers and End Users

Apply for a free Ebook ! Sign Up now