🛡️ Threat Intelligence Report: Copy Fail (CVE-2026-31431) — Linux Kernel Privilege Escalation

1. Source Reports Table

#	Title	Publication Date	Source	Platform Link
1	Copy Fail	2026-04-30	copy.fail (Xint Code — original disclosure)	TI Mindmap HUB
2	Copy Fail: 732 Bytes to Root on Every Major Linux Distribution	2026-04-30	xint.io	TI Mindmap HUB
3	CVE-2026-31431: "Copy Fail" Linux kernel flaw lets local users gain root in seconds	2026-04-30	Sysdig	TI Mindmap HUB
4	Copy Fail: Universal Linux Local Privilege Escalation Vulnerability	2026-05-01	Wiz.io	TI Mindmap HUB
5	Copy Fail: Critical Linux Kernel Privilege Escalation Vulnerability - CVE-2026-31431	2026-05-01	Picus Security	TI Mindmap HUB
6	CVE-2026-31431: Copy Fail vulnerability enables Linux root privilege escalation across cloud environments	2026-05-02	Microsoft Security Blog	TI Mindmap HUB
7	Linux Kernel "Copy Fail" Local Privilege Escalation (LPE), CVE-2026-31431, Under Active Exploitation	2026-05-03	XM Cyber	TI Mindmap HUB
8	Exploit Fail: Why CVE-2026-31431 (Copy Fail) barely scratches Talos Linux	2026-05-03	Sidero Labs	TI Mindmap HUB
9	Debian Linux Patched Copy Fail (CVE-2026-31431) Vulnerability	2026-05-03	OSTechNix	TI Mindmap HUB
10	Proof-of-concept exploit available for Linux 'Copy Fail' vulnerability (CVE-2026-31431)	2026-05-03	Sophos	TI Mindmap HUB

2. Detailed Cross-Source Analysis

2.1 Converging Intelligence — Key Findings Across All 10 Sources

All 10 independent reports converge on the following points regarding CVE-2026-31431 ("Copy Fail"):

Universal Impact: The vulnerability affects every mainstream Linux distribution shipped since July 2017, when kernel commit 72548b093ee3 introduced the vulnerable in-place AEAD optimization. Confirmed exploitable distributions include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, SUSE 16, Debian (stable), Fedora, CloudLinux, and more.
Trivial, Deterministic Exploitation: Unlike many kernel exploits that rely on race conditions or architecture-specific offsets, Copy Fail is a straight-line logic flaw. The 732-byte Python PoC (SHA-256: a567d09b15f6e4440e70c9f2aa8edec8ed59f53301952df05c719aa3911687f9) works unmodified across all affected distributions.
In-Memory-Only Attack: The exploit corrupts the page cache of setuid binaries (e.g., /usr/bin/su) without modifying on-disk files. This completely evades traditional File Integrity Monitoring (FIM) tools such as AIDE and Tripwire.
Container Escape: Because the Linux page cache is shared across the host, exploitation from within a container can corrupt binaries visible to the host and other containers, enabling container-to-host escape in Kubernetes and multi-tenant environments.
Active Exploitation Confirmed: Microsoft Defender telemetry (report #6) confirms threat actors are actively scanning cloud instances and exploiting CVE-2026-31431 in the wild as of May 1, 2026.
Patching Gap: While the mainline kernel was patched on April 1, 2026 (commit a664bf3d603d), many major distributions remained unpatched over 30 days later. Only rolling-release distributions (Debian sid, Arch Linux) and Debian security repositories have deployed fixes.

2.2 Diverging Perspectives

Sidero Labs / Talos Linux (report #8) provides a notable counterpoint: Talos Linux is architecturally resistant to Copy Fail because it lacks a Python interpreter, has no interactive users, does not ship /usr/bin/su, and contains no setuid binaries on the host. This demonstrates that hardened, immutable OS designs significantly reduce exposure even when the kernel vulnerability exists.
Microsoft (report #6) emphasizes cloud-wide lateral movement post-exploitation, including backdoor deployment and data exfiltration, extending the threat model beyond simple privilege escalation.

2.3 Historical Context — Evolutionary Lineage

Cross-source correlation reveals Copy Fail is the third generation of Linux page cache exploitation techniques:

Vulnerability	CVE	Year	Mechanism	Reliability
Dirty Cow	CVE-2016-5195	2016	Copy-on-write race condition	Requires race window
Dirty Pipe	CVE-2022-0847	2022	Uninitialized pipe buffer flags	Reliable, some constraints
Copy Fail	CVE-2026-31431	2026	AEAD scatterlist logic flaw	Fully deterministic, no race

Each iteration is more reliable, more portable, and harder to detect.

3. Executive Summary

Overview

CVE-2026-31431 ("Copy Fail") is a critical local privilege escalation (LPE) vulnerability in the Linux kernel's cryptographic subsystem (authencesn AEAD via algif_aead). Discovered by Xint Code and publicly disclosed on April 29, 2026, this flaw allows any unprivileged local user to gain root access on virtually every major Linux distribution shipped since 2017. A reliable, deterministic 732-byte Python proof-of-concept is publicly available and works unmodified across Ubuntu, Amazon Linux, RHEL, SUSE, Debian, Fedora, and others. The vulnerability also enables container escapes in shared-kernel environments, posing an existential threat to cloud, Kubernetes, CI/CD, and multi-tenant infrastructure.

Diagram — Attack/Method Overview

┌─────────────────────────────────────────────────────────────────────────────┐
│                        COPY FAIL ATTACK FLOW                                │
│                        CVE-2026-31431                                       │
├─────────────────────────────────────────────────────────────────────────────┤
│                                                                             │
│  ┌─────────────────────┐                                                    │
│  │ 1. LOCAL USER ACCESS │  (unprivileged, no special permissions needed)    │
│  └──────────┬──────────┘                                                    │
│             │                                                               │
│             ▼                                                               │
│  ┌─────────────────────────────────┐                                        │
│  │ 2. OPEN AF_ALG SOCKET           │  socket(AF_ALG, SOCK_SEQPACKET, 0)    │
│  │    Bind: authencesn(hmac(sha256))│                                       │
│  └──────────┬──────────────────────┘                                        │
│             │                                                               │
│             ▼                                                               │
│  ┌─────────────────────────────────────────────┐                            │
│  │ 3. SPLICE /usr/bin/su INTO PIPE → AF_ALG    │  splice() zero-copy       │
│  │    Page cache pages exposed to scatterlist   │                           │
│  └──────────┬──────────────────────────────────┘                            │
│             │                                                               │
│             ▼                                                               │
│  ┌─────────────────────────────────────────────────────┐                    │
│  │ 4. TRIGGER AEAD DECRYPTION                          │                    │
│  │    authencesn scratch-writes 4 bytes past boundary   │                   │
│  │    → Controlled overwrite into PAGE CACHE of su      │                   │
│  └──────────┬──────────────────────────────────────────┘                    │
│             │                                                               │
│             ▼                                                               │
│  ┌─────────────────────────────────────────────┐                            │
│  │ 5. EXECUTE /usr/bin/su                       │                           │
│  │    Kernel loads CORRUPTED page cache image   │                           │
│  │    → SHELLCODE EXECUTES WITH ROOT PRIVILEGES │                           │
│  └──────────┬──────────────────────────────────┘                            │
│             │                                                               │
│             ▼                                                               │
│  ┌──────────────────────────────┐    ┌──────────────────────────────────┐   │
│  │ 6a. ROOT SHELL ON HOST       │    │ 6b. CONTAINER ESCAPE             │   │
│  │     Full system compromise   │    │     Shared page cache = host     │   │
│  └──────────────────────────────┘    │     access across containers     │   │
│                                      └──────────────────────────────────┘   │
│                                                                             │
│  ● No race condition   ● No kernel offsets   ● No disk artifacts           │
│  ● 732 bytes exploit   ● Python 3.10+ only   ● Works since 2017 kernels   │
└─────────────────────────────────────────────────────────────────────────────┘

Attribution & Threat Actor Description

Discoverer: Xint Code Research Team — responsible disclosure to the Linux kernel security team on March 23, 2026. Published the original technical write-up and PoC at copy.fail.
Active Threat Actors: Microsoft Defender telemetry confirms unnamed threat actors are actively exploiting the vulnerability in the wild as of May 1, 2026. These actors are:
- Scanning for vulnerable Linux cloud instances (Azure, AWS, GCP)
- Using automated exploitation scripts
- Targeting high-uptime systems missing patches
- Deploying backdoors and exfiltrating data post-compromise
- Moving laterally between VMs and containers
No specific APT attribution has been published as of May 3, 2026. The exploit's trivial nature and public availability make it accessible to the full spectrum of threat actors, from script kiddies to nation-state groups.

4. Technical Details

4.1 Vulnerability Analysis

Property	Detail
CVE	CVE-2026-31431
Name	Copy Fail
CVSS Score	7.8 (HIGH)
CWE	CWE-807 (Reliance on Untrusted Inputs in a Security Decision)
Component	Linux kernel `authencesn` AEAD — `algif_aead` module
Interface	AF_ALG (Kernel Crypto API userspace socket)
Root Cause	In-place AEAD optimization (2017, commit `72548b093ee3`) chains source scatterlist pages into output scatterlist, allowing 4-byte controlled write to page cache
Introduced	July 2017
Fixed	April 1, 2026 (mainline commits `a664bf3d603d` / `fafe0fa2995a`)
Publicly Disclosed	April 29, 2026
CVE Assigned	April 22, 2026

4.2 Exploit Characteristics

Property	Detail
Exploit Size	732 bytes (Python script)
Dependencies	Python 3.10+ (stdlib only: `os`, `socket`, `zlib`)
Race Condition	None — fully deterministic
Kernel Offsets	None required
Target Binary	`/usr/bin/su` (or any setuid-root binary)
Persistence	In-memory only; does not survive reboot or cache eviction
Disk Trace	None — invisible to FIM tools (AIDE, Tripwire, inotify)
Container Escape	YES — shared page cache on host kernel
PoC SHA-256	`a567d09b15f6e4440e70c9f2aa8edec8ed59f53301952df05c719aa3911687f9`
PoC URL	`https://copy.fail/exp`

4.3 Technical Root Cause Deep Dive

The vulnerability exists in the interaction between three Linux kernel components:

AF_ALG Socket Interface: Provides userland access to the kernel's cryptographic subsystem. Any unprivileged user can open an AF_ALG SEQPACKET socket and bind it to cryptographic algorithms.
splice() System Call: Enables zero-copy transfer of file pages into pipes. When a user splices a readable file (e.g., /usr/bin/su) into a pipe, the kernel exposes page cache references (not copies) to the pipe buffer.
authencesn AEAD Algorithm: During decryption, the 2017 in-place optimization uses the destination buffer as scratch space. The algorithm writes 4 bytes (derived from attacker-controlled AAD data) past the intended boundary — into the spliced tag region, which is a live page cache page of the target file.

The result: the attacker writes 4 controlled bytes into the in-memory executable image of a setuid binary. When any process executes that binary, the corrupted page cache version runs with root privileges.

4.4 Affected Linux Distributions (Confirmed Exploitable)

Distribution	Exploitable	Patched (as of 2026-05-03)
Ubuntu 24.04 LTS	YES	NO
Amazon Linux 2023	YES	PENDING
RHEL 10.1	YES	NO
SUSE 16	YES	NO
Debian stable (Bookworm)	YES	YES (via security repo)
Debian 13 Trixie	YES	YES (via security repo)
Debian sid	YES	YES (rolling)
Fedora	YES	PARTIAL
CloudLinux	YES	NO
Arch Linux	YES	YES (rolling)
Talos Linux (Sidero)	Kernel affected, but minimal practical risk due to hardened architecture (no Python, no setuid binaries, no interactive users)

Fixed Kernel Versions: 7.0, 6.19.12, 6.18.22+

4.5 Infrastructure Analysis — Cloud & Container Impact

Copy Fail has unique implications for cloud and container environments:

Shared Page Cache: In Linux, the page cache is a single shared resource for the entire host. Containers sharing a base image with the host also share page cache entries. Exploitation from within a container corrupts the page cache visible to the host and all co-located containers.
Kubernetes: Any pod with local code execution capability (even unprivileged) can exploit Copy Fail to escape to the host, compromising the node and potentially the entire cluster.
CI/CD Pipelines: Build runners that execute untrusted code are high-risk targets.
Multi-tenant SaaS: Any service executing user-provided code on shared Linux infrastructure is vulnerable.
AI/ML Platforms: Code execution environments (Jupyter notebooks, model training runners) on shared infrastructure are exposed.

Microsoft Defender telemetry confirms threat actors are actively scanning for and exploiting vulnerable cloud instances, with post-exploitation activity including:

Backdoor deployment
Sensitive data exfiltration
Lateral movement between VMs and containers
Disabling security controls via compromised root access

5. Detection Opportunities

5.1 Behavioral Detection Rules

Detection Vector	Description	Priority
AF_ALG socket creation by non-root	Any `AF_ALG` `SEQPACKET` socket opened by unprivileged user or outside disk-encryption toolchain	CRITICAL
splice() + AF_ALG combination	`splice()` syscall feeding file pages into AF_ALG socket from unprivileged process	CRITICAL
algif_aead module load	Unexpected loading or registration of `algif_aead` kernel module post-boot	HIGH
auth.log anomalies	Malformed `su` log entries with missing invoking username	HIGH
Hash mismatch on setuid binaries	In-memory vs. on-disk hash mismatch for `/usr/bin/su`, `/usr/bin/passwd`, etc.	HIGH
curl/wget to copy.fail	Network requests to `copy.fail` domain or `/exp` path	MEDIUM
Anomalous privilege escalation events	Unexpected elevation of privileges in user activity logs	HIGH
Unfamiliar scripts in system dirs	Presence of unfamiliar scripts/binaries in `/etc`, `/root`, or system directories	MEDIUM

5.2 Falco / Sysdig Detection Rule

- rule: Copy Fail - AF_ALG Socket from Unprivileged User
  desc: Detect AF_ALG socket creation (potential CVE-2026-31431 exploitation)
  condition: >
    evt.type = socket and
    evt.arg.domain = AF_ALG and
    not proc.is_suid_root and
    not user.name in (root, dm-crypt-service)
  output: >
    AF_ALG socket created by unprivileged user
    (user=%user.name proc=%proc.name pid=%proc.pid container=%container.name)
  priority: CRITICAL
  tags: [CVE-2026-31431, copy-fail, privilege-escalation]

5.3 Auditd Rules

# Monitor AF_ALG socket creation (protocol family 38)
-a always,exit -F arch=b64 -S socket -F a0=38 -k copyfail_af_alg
# Monitor splice() calls targeting setuid binaries
-a always,exit -F arch=b64 -S splice -F exe=/usr/bin/su -k copyfail_splice
-a always,exit -F arch=b64 -S splice -F exe=/usr/bin/passwd -k copyfail_splice

5.4 Detection Limitations

Multiple sources confirm that traditional forensics and FIM are ineffective against Copy Fail:

No on-disk artifacts — file on disk is never modified
No inotify triggers — kernel does not notify file watchers of page cache changes
No persistence across reboot — forensic imaging of disk will miss exploitation
Short attack window — cache eviction removes evidence
Only real-time runtime monitoring (Sysdig, Falco, eBPF-based tools) or AF_ALG syscall auditing can detect the attack

6. Conclusion

CVE-2026-31431 ("Copy Fail") represents one of the most impactful Linux kernel vulnerabilities discovered in the last decade. Its combination of universal applicability (every major distribution since 2017), deterministic exploitation (no race conditions or offsets), stealth (in-memory only, no disk traces), and container escape capability make it a top-priority threat for any organization running Linux infrastructure.

The 30+ day gap between the mainline kernel patch and distribution-level deployments has created a critical exposure window that threat actors are actively exploiting. Organizations must immediately apply mitigations (blacklisting algif_aead, seccomp policies) while accelerating kernel patching across all Linux assets, with particular urgency for cloud, container, CI/CD, and multi-tenant environments.

The evolutionary progression from Dirty Cow → Dirty Pipe → Copy Fail demonstrates that Linux page cache manipulation remains a fertile and dangerous attack surface requiring both kernel-level fixes and runtime monitoring investments.

7. Indicators of Compromise (IoC List)

Network / File-Based IoCs

Label	Type	Value	Confidence
PoC Exploit Hash	SHA-256	`a567d09b15f6e4440e70c9f2aa8edec8ed59f53301952df05c719aa3911687f9`	HIGH (90%)
PoC Hosting URL	URL	`https://copy.fail/exp`	HIGH (90%)
PoC Hosting Domain	Domain	`copy.fail`	MEDIUM

Behavioral IoCs

Label	Type	Description	Confidence
AF_ALG Non-Root Socket	Syscall Anomaly	AF_ALG SEQPACKET socket opened by unprivileged user outside disk-encryption toolchain	HIGH
splice() + Crypto Combo	Syscall Chain	`splice()` feeding file pages into AF_ALG socket from non-root process	HIGH
algif_aead Unexpected Load	Module Load	`algif_aead` kernel module loaded post-boot unexpectedly	HIGH
Malformed su Log Entry	Log Anomaly	`auth.log` entries for `su` with missing invoking username	MEDIUM
Setuid Binary Memory Mismatch	Memory Integrity	In-memory hash of `/usr/bin/su` or `/usr/bin/passwd` differs from on-disk hash	HIGH
PoC Download Activity	Network	HTTP/HTTPS requests to `copy.fail` or path `/exp`	MEDIUM
Anomalous Root Escalation	Privilege Anomaly	Unexpected privilege escalation events from unprivileged users following crypto syscalls	HIGH
Suspicious File in System Dirs	File Anomaly	Unfamiliar scripts or binaries in `/etc`, `/root`, or system directories linked to file copy operations	MEDIUM

8. MITRE ATT&CK Techniques

Tactic	Technique ID	Technique Name	Description
Privilege Escalation	T1068	Exploitation for Privilege Escalation	Exploitation of logic flaw in Linux kernel `algif_aead` module to gain root from unprivileged local user via controlled 4-byte page cache write
Execution	T1059.006	Command and Scripting Interpreter: Python	The PoC exploit is a 732-byte Python script using only standard library modules (`os`, `socket`, `zlib`), requiring Python 3.10+
Defense Evasion	T1014	Rootkit	Page cache corruption acts as a memory-only rootkit; the in-memory representation of setuid binaries is modified without touching disk, evading all traditional file integrity monitoring
Defense Evasion	T1070.004	Indicator Removal: File Deletion	Exploit effects are self-cleaning — page cache corruption does not persist across reboot or explicit cache eviction, leaving no forensic artifacts on disk
Lateral Movement	T1611	Escape to Host	Exploitation from within a container corrupts the shared host page cache, enabling container-to-host escape and lateral movement to other co-located containers
Discovery	T1082	System Information Discovery	Attackers scan for vulnerable Linux kernel versions and high-uptime cloud instances lacking recent security updates
Persistence	T1098	Account Manipulation	Post-exploitation: threat actors create new user accounts with elevated permissions to maintain access after root is obtained
Command and Control	T1105	Ingress Tool Transfer	Post-exploitation: threat actors download additional payloads, backdoors, and tools to compromised systems after gaining root

Report generated 2026-05-03 via TI Mindmap HUB cross-source correlation. All intelligence derived from 10 open-source and vendor publications.