Copy Fail Vulnerability in Major Linux Distributions

Copy Fail Vulnerability in Major Linux Distributions 🚨

Copy Fail (CVE-2026-31431) is a logic bug in the Linux kernel’s cryptographic template. It allows an unprivileged local user to trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system. A single 732-byte Python script can edit a setuid binary and obtain root access on essentially all Linux distributions shipped since 2017.

The kernel never marks the corrupted page dirty for writeback, so the file on disk remains unchanged, and ordinary on-disk checksum comparisons miss the modification. However, the corrupted in-memory version is immediately visible system-wide. This exploit is Portable: the same exact script works on every tested distribution and architecture, including Ubuntu, Amazon Linux, RHEL, and SUSE, with no per-distro offsets or recompilation needed.

Key Features of the Vulnerability:

• Stealthy: The write bypasses the ordinary VFS write path, making it undetectable by standard file integrity tools.
• Cross-container impact: The page cache is shared across all processes on a system, including across container boundaries.

The root cause of this vulnerability lies in the kernel’s AF_ALG socket type, which exposes the crypto subsystem to unprivileged userspace. A core primitive underlying this bug is splice(), which transfers data between file descriptors and pipes without copying, passing page cache pages by reference. Unfortunately, the authencesn AEAD algorithm breaks a silent invariant by writing 4 bytes at an incorrect offset, directly corrupting the kernel’s cached copy of the target file.

This vulnerability has been silently exploitable for nearly a decade, formed from the intersection of three separate changes in 2011, 2015, and an optimization in 2017 that made AEAD operations in-place.

To read the complete article see: Read full article