This critical Linux vulnerability is putting millions of systems at risk - how to protect yours
Source: ZDNet
ZDNET key takeaways
- Copy Fail is a dangerous Linux vulnerability.
- This flaw makes gaining root access easy for attackers.
- Copy Fail affects millions of Linux systems.
CVE-2026-31431, also known as Copy Fail, is a critical Linux kernel vulnerability that has existed since 2017.
What is Copy Fail?
Copy Fail is a flaw in the Linux kernel’s handling of certain data. An attacker with basic access can alter a small piece of data in RAM, tricking the system into granting root privileges.
Think of it as a janitor swapping the boss’s nameplate with his own—suddenly everyone assumes he is the boss. Unlike many exploits, Copy Fail does not require precise timing or specific event ordering.
A bit more detail
Copy Fail abuses the AF_ALG socket interface and the splice() system call to overwrite just 4 bytes in the kernel’s page cache for any readable file. This allows attackers to modify setuid binaries (e.g., su) in memory and gain root access.
- Affects Linux kernels 4.14 through 6.19.12 (2017‑present).
- Differs from race‑condition exploits: it is a stable, straight‑line vulnerability.
“This finding was AI‑assisted, but began with an insight from Theori researcher Taeyang Lee, who was studying how the Linux crypto subsystem interacts with page‑cache‑backed data.” – Xint Code Research Team
How to avoid Copy Fail
The simplest mitigation is to update your kernel to the latest version. To check whether the vulnerable module is loaded, run:
dpkg -l kmod | grep -qE '^algif_aead ' /proc/modules && \
echo "Affected module is loaded" || \
echo "Affected module is NOT loaded"- If you see “Affected module is NOT loaded.”, your kernel is patched.
- If you see “Affected module is loaded.”, update your system and re‑run the command.
If the module remains loaded after updating, you can disable it:
# Disable the module permanently
echo 'install algif_aead /bin/false' > /etc/modprobe.d/disable-algif.conf
# Unload the module for the current session
rmmod algif_aeadAfter applying these steps, your system should be protected against the Copy Fail vulnerability.