How to protect your Linux server from CVE-2026-31431 (Copy Fail)

    What is CVE-2026-31431?

    CVE-2026-31431, codenamed "Copy Fail", is a local privilege escalation vulnerability in the Linux kernel with a CVSS score of 7.8. It was publicly disclosed on April 29, 2026; the mainline kernel fix was merged on April 1, 2026.

    It is a logic bug in the kernel's algif_aead AEAD socket interface (the authencesn(...) template), introduced upstream in 2017. It allows an unprivileged local user to perform a controlled 4-byte write into the page cache of any readable file — typically to overwrite a setuid binary and gain root.

    The exploit is reliable, single-shot (a 732-byte Python script, no offsets, no race conditions) and works on essentially every Linux distribution shipped since 2017 with CONFIG_CRYPTO_USER_API_AEAD enabled.

    Local only. It cannot be triggered remotely, but it pairs lethally with any other bug that gives an attacker shell access (web app RCE, weak SSH, cPanel/DirectAdmin user account, container escape).

    Are you affected?

    Yes, almost certainly, if you run any modern Linux server.

    Confirmed affected distributions:

    • Ubuntu, Debian
    • AlmaLinux, Rocky Linux, CentOS
    • RHEL, CloudLinux 8/9/10
    • SUSE, Amazon Linux 2023

    Not affected: CloudLinux 7.

    Applies to bare metal, VMs, and container hosts. The CVE is in the kernel itself, not a userspace package — so containers inherit the host kernel's vulnerability.

    How to check your server

    We provide a detection script that runs five non-destructive checks and prints a single verdict: PATCHED, MITIGATED, VULNERABLE, or UNKNOWN.

    scp cve-2026-31431-check.sh root@YOUR_SERVER:/root/
ssh root@YOUR_SERVER
bash /root/cve-2026-31431-check.sh

    For batch sweeps across many servers, add --quiet to get one parseable line per host.

    You can download the script from the attached file at the bottom of this article.

    What it checks:

    1. Kernel command line for initcall_blacklist=algif_aead_init
    2. KernelCare livepatch level (CloudLinux only)
    3. Running kernel against the patched-version table for RHEL family / Debian / Ubuntu
    4. /etc/modprobe.d blacklist entries — and whether algif_aead is built into the kernel (in which case the blacklist is a no-op)
    5. Functional AF_ALG AEAD bind probe (Python or Perl, automatically picks what's available)

    How to mitigate

    Option Best for Reboot? Durable?
    Install vendor patched kernel Everyone, long-term fix Yes Yes
    KernelCare livepatch CloudLinux servers No Yes
    Kernel-cmdline workaround Anyone, while waiting for vendor patch Yes Temporary

    Option A: vendor patched kernel

    Minimum patched versions by distribution:

    • AlmaLinux / CloudLinux / Rocky 8: kernel-4.18.0-553.121.1.el8_10
    • AlmaLinux / CloudLinux / Rocky 9: kernel-5.14.0-611.49.2.el9_7
    • AlmaLinux / CloudLinux / Rocky 10: kernel-6.12.0-124.52.2.el10_1
    • Mainline upstream: 7.0, 6.19.12, 6.18.22 (or the relevant LTS backport for 6.12.x / 6.6.x / 5.15.x / 5.10.x)
    • Debian / Ubuntu: check the package changelog with apt changelog linux-image-$(uname -r) | grep CVE-2026-31431; the script does this automatically.

    If the patched kernel is not yet in your distribution's stable channel, install from the testing channel (AlmaLinux example):

    A=$(rpm -E %rhel); ARCH=$(uname -m); SFX=$([ "$A" -ge 10 ] && echo "$ARCH" || echo noarch)
dnf -y install "https://repo.almalinux.org/almalinux/${A}/extras/${ARCH}/os/Packages/almalinux-release-testing-${A}-1.el${A}.${SFX}.rpm"
dnf -y --enablerepo=almalinux-testing upgrade 'kernel*'
reboot

    Option B: KernelCare livepatch (CloudLinux only)

    kcarectl --update
kcarectl --patch-info | grep K20260430_07

    Patch level K20260430_07 or newer covers Copy Fail. No reboot required.

    Option C: kernel-cmdline workaround

    Disables the AEAD initcall so the vulnerable interface never registers. Works on every distribution including RHEL-family kernels where the module is built in.

    RHEL family (CloudLinux, AlmaLinux, Rocky, RHEL):

    grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"
reboot

    Debian / Ubuntu:

    Edit /etc/default/grub, append initcall_blacklist=algif_aead_init to GRUB_CMDLINE_LINUX, then:

    update-grub
reboot

    Verify with:

    grep -o 'initcall_blacklist=[^ ]*' /proc/cmdline

    Mitigation that does NOT work

    A blacklist file like /etc/modprobe.d/disable-algif-aead.conf with install algif_aead /bin/false is a no-op on RHEL-family kernels because CONFIG_CRYPTO_USER_API_AEAD=yalgif_aead is compiled into the kernel image, not loaded as a module. Use the kernel-cmdline workaround instead. Verify with:

    grep algif_aead /lib/modules/$(uname -r)/modules.builtin

    A match means the modprobe blacklist will not protect you.

    After mitigating

    1. Re-run bash /root/cve-2026-31431-check.sh and confirm the verdict is PATCHED or MITIGATED.
    2. If you used the cmdline workaround, plan to install the vendor patched kernel when it ships, then remove the workaround: 
      grubby --update-kernel=ALL --remove-args="initcall_blacklist=algif_aead_init"
reboot
    3. Confirm with the script one more time.

    Need help?

    Open a ticket at soporte.telecu.cloud and reference: CVE-2026-31431.

    Sources

    Attached Files
    cve-2026-31431-check.sh
    404kb
    Tags
    cve-2026-31431 copy-fail linux-kernel security privilege-escalation
    Published