A serious local privilege escalation vulnerability in the Linux kernel, publicly disclosed on April 29, 2026, has now received patches across several major Linux distributions, including Ubuntu, Debian, and AlmaLinux.
The flaw, tracked as CVE-2026-31431 and nicknamed Copy Fail, carries a CVSS 3.1 score of 7.8, placing it in the HIGH severity category. If you are running a Linux system that is not Ubuntu 26.04 LTS or newer, you need to act on this immediately. This one is worth taking seriously.
Copy Fail was discovered and disclosed by researchers at Xint Code and Theori. The bug lives in the algif_aead kernel module, which provides the AEAD socket interface for the kernel’s userspace cryptographic API, known as AF_ALG.
In plain terms, it is a piece of the kernel that handles authenticated encryption operations for software that requests hardware-accelerated cryptographic functions. Most users never interact with it directly. That is precisely the kind of component where a logic flaw can sit quietly for years.
The root cause traces back to a commit merged in 2017, identified as commit 72548b093ee3. That commit switched AEAD operations to in-place processing as a performance optimization.
What it accidentally introduced was a path where pages from the page cache, the kernel’s in-memory cache of file contents, could end up in a writable scatterlist. An attacker who knows this can trigger a controlled, deterministic four-byte write into the cached contents of any readable file on the system. Four bytes is enough to own a machine.
By targeting a setuid binary such as /usr/bin/su and writing a small payload into its cached pages, an attacker can cause the kernel to execute arbitrary code with root privileges the next time that binary runs. The entire exploit fits in a 732-byte Python script using only standard library modules available in Python 3.10 and later.
No compiled payloads, no timing races, no per-distribution offsets, no retries. The same script works without modification on Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16. Researchers at Bugcrowd noted that this class of bug, universal across distributions, reliable without races, capable of container escape, would historically have sold on the vulnerability broker market for figures approaching half a million dollars.
The upstream fix was committed to the mainline Linux kernel on April 1, 2026, well before the public disclosure. Kernels shipping Linux 7.0 and later are not affected. Ubuntu 26.04 LTS, which shipped on April 23 with Linux 7.0, is not vulnerable.
The problem is that every supported distribution is still running kernels from the affected range: Linux 4.14 through the 7.0-rc series, and any 6.18.x build prior to 6.18.22 or 6.19.x build prior to 6.19.12. That covers an enormous installed base.
On the patch front, Ubuntu released a mitigation through the kmod package that disables the algif_aead module from loading. Users on Ubuntu 22.04 and 24.04 can apply this mitigation without a reboot by unloading the module if it is already loaded, or by upgrading the kmod package and rebooting to ensure the change takes effect.
Fully patched kernel packages are available through the standard Ubuntu security update channels. Debian has released a patched downstream kernel for its distributed older kernel versions.
AlmaLinux moved quickly, building patched kernels from the upstream fix independently rather than waiting on Red Hat, and pushed them to production repositories on May 1, 2026. Fedora and Arch Linux users running their respective current kernels are not affected, as those distributions already ship kernels new enough to be outside the vulnerable range.
One important warning for RHEL-family users: the modprobe-based mitigation that has been circulating online does not work on systems where algif_aead is compiled directly into the kernel rather than built as a loadable module.
On those systems, the modprobe.d rule runs without error but has no effect. Checking whether the module is loadable or compiled-in is necessary before relying on that workaround.
For container environments, the exposure profile is broader than it might appear. On hosts using shared-kernel container runtimes, a compromised container workload can use this exploit to escape the container entirely and reach the host system. The exploit bypasses ordinary VFS write paths, which means standard container filesystem restrictions are not sufficient protection.
Microvm-based isolation, such as Firecracker, or kernel-intercepting runtimes, such as gVisor, are not affected because they do not share the host kernel’s page cache with tenant workloads.
Applying the latest kernel updates for your distribution is the correct and permanent fix. For systems where a reboot is not immediately possible, disabling the algif_aead module is the recommended interim step, subject to the RHEL-family caveat above.
The Ubuntu Security Team, Debian Security Tracker, and AlmaLinux blog all carry distribution-specific guidance for Copy Fail. The original technical write-up from Xint Code is available for those who want the full technical details on how the vulnerability works.
