Copy Fail: Linux kernel crypto RCE (CVE-2026-31431) [PoC]

Actively exploited in the wild — Copy Fail (CVE-2026-31431) is a high-severity vulnerability in the Linux kernel’s crypto subsystem (algif_aead) that grants local attackers arbitrary code execution at kernel level. Disclosed by Theori / Xint as “Copy Fail,” the bug is confirmed exploited in the wild, has multiple public PoCs, and is weaponized in a Metasploit module.

Overview

Copy Fail (CVE-2026-31431) affects the Linux kernel’s crypto/algif_aead module, specifically the implementation of AEAD (Authenticated Encryption with Associated Data) operations via the AF_ALG socket interface. A commit reverted the in-place operation logic, reintroducing a flaw where the source and destination buffers use different memory mappings without proper separation.

The vulnerability arises from the removal of complexity added to support in-place encryption in algif_aead. By operating out-of-place again, the kernel fails to properly isolate the source and destination buffers, allowing a local attacker to trigger memory corruption that can lead to privilege escalation or system crash. Researchers note Copy Fail is unusual among Linux LPEs in that it requires no race window and no kernel-specific offset — a single straight-line logic flaw that exploits cleanly across distributions.

Impact

This vulnerability carries a CVSS 7.8 (HIGH) rating with a LOCAL attack vector (AV:L) requiring LOW privileges and NO user interaction. The primary impact is to confidentiality, integrity, and availability - an attacker with low-privilege access to a system can exploit this to execute arbitrary code at kernel level.

The CISA Known Exploited Vulnerabilities (KEV) catalog confirms active exploitation in the wild. The EPSS score of 2.6% indicates a moderate probability of broader exploitation within the next 30 days.

Affected Systems

All Linux kernel versions that include the affected algif_aead commit are vulnerable. This broadly impacts enterprise servers, cloud instances, and embedded devices running unpatched Linux kernels.

Remediation

1. Apply the kernel patch immediately: The fix is included in current stable kernel releases. Update to the latest kernel for your distribution.
2. For enterprise distros:
   • Red Hat/CentOS: Update to kernel-4.18.0-553 or later (RHEL 8)
   • Ubuntu: Apply kernel updates from ubuntu-security-announce
   • SUSE: Update to kernel-default-5.14.21-150400.24.135 or later
3. Mitigation without patching: Restrict access to the AF_ALG socket family by using SELinux or AppArmor policies. This limits exploitation surface but is not a complete fix.

Security Insight

This vulnerability echoes a pattern seen in other recent Linux kernel bugs where in-place vs. out-of-place memory handling causes security boundaries to collapse. The revert to out-of-place operation was intended to simplify the code, but introduced a regression that attackers are actively exploiting. This incident underscores the importance of rigorous regression testing in cryptographic subsystems, where even memory-safe design patterns can reintroduce vulnerabilities when boundaries between kernel and userspace mappings are not carefully managed.

Related reading: Nine CrackArmor Flaws in Linux AppArmor Enable Root and China-Linked Hackers Use TernDoor, PeerTime, BruteEntry.

Further Reading

• Nine CrackArmor Flaws in Linux AppArmor Enable Root
• China-Linked Hackers Use TernDoor, PeerTime, BruteEntry
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs