A severe vulnerability CVE-2026-31431 (CopyFail) has been discovered in the Linux kernel, which can be exploited in all major distributions. The flaw allows a local unprivileged user to gain root privileges.
The essence of the vulnerability:
The cryptographic algorithm authencesn uses a portion of allocated memory during operation and writes four bytes directly to the file cache pages. This gives an attacker the ability to modify the cache of any readable file.
The exploit is a 732-byte Python script that calls AF_ALG and splice operations to write four controlled bytes to the cache of (for example) a setuid application. As a result, the executable code in memory is modified, and a shell with root privileges is launched.
What to do:
It is recommended to update the kernel ASAP.
If this is not possible, disable the algif_aead module (AF_ALG interface for AEAD).
How to detect an attack:
The artifacts of the original Python exploit launch can be seen in the screenshot above. The launch can be tracked by specific command strings:
sh -c -- su
sh -c -- newgrp
sh -c -- passwd
sh -c -- gpasswd
sh -c -- sudo
sh -c -- chfn
sh -c -- umount
sh -c -- mount
sh -c -- fusermount3
sh -c -- chsh
sh -c -- suSimilar command strings can be run with other setuid files.
You can also detect the attack by the characteristic chain of processes: python launches a shell.
It is also recommended to monitor:
— creation of an AF_ALG socket (interface to the Linux kernel’s cryptographic API) by unprivileged users,
— use of the splice() call by unprivileged users, which allows moving data between two file descriptors (e.g., from a file to a pipe or from a socket to a file) within the kernel memory.
Note that other versions of exploits are already appearing, and their detection may differ. Monitor for suspicious changes in the user ID of the parent and child processes from unknown files or files that are atypical for your infrastructure.
UPDATE: More artifacts and recommendations for the Copy Fail detection are published here.
