Copy Fail (CVE-2026-31431): Frequently asked questions about Linux kernel privilege escalation vulnerability

Blog / Cyber Exposure Alerts Subscribe Copy Fail (CVE-2026-31431): Frequently asked questions about Linux kernel privilege escalation vulnerability Satnam Narang April 30, 2026 6 Min Read A flaw in the Linux kernel present since 2017 allows a local user to gain root access on virtually every major Linux distribution. A public exploit is available and reported to work reliably. Key Takeaways CVE-2026-31431 is a high severity local privilege escalation vulnerability in the Linux kernel reportedly affecting virtually every major distribution released since 2017.   A public exploit is available and reported to be reliable, drawing comparisons to previous high-profile Linux kernel privilege escalation flaws.   Patched kernel versions are available, though some major distributions have not yet shipped updates. Background Tenable's Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding CVE-2026-31431, a Linux kernel local privilege escalation vulnerability dubbed "Copy Fail." FAQ When was Copy Fail first disclosed? On March 23, researcher Taeyang Lee of Theori reported the vulnerability to the Linux kernel security team. The flaw was discovered in part using Theori's AI-assisted security scanning tool, Xint Code. A mainline patch was committed on April 1, CVE-2026-31431 was assigned on April 22 and public disclosure occurred on April 29. What is CVE-2026-31431? CVE-2026-31431 is a local privilege escalation vulnerability in the Linux kernel's cryptographic subsystem. It was assigned a CVSSv3 score of 7.8. CVE Description CVSSv3 CVE-2026-31431 Linux Kernel Local Privilege Escalation Vulnerability 7.8 The flaw allows a local user to modify the kernel's cached copy of a file in memory without changing the file on disk. By targeting a privileged binary, an attacker can gain root access. Because the modification exists only in the page cache, the underlying file on disk remains unchanged. Standard disk forensics would not detect the alteration, and clearing memory through a reboot or resource pressure causes the cache to reload from the original file. For a detailed technical breakdown, refer to the Xint Code blog post.   How does Copy Fail compare to Dirty Cow and Dirty Pipe? Copy Fail has drawn comparisons to two other well-known Linux kernel privilege escalation vulnerabilities: Dirty Cow (CVE-2016-5195) and Dirty Pipe (CVE-2022-0847). Both are in the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog. Dirty Cow relied on a race condition, which meant exploitation could fail or require multiple attempts. Dirty Pipe had constraints around how data could be written and where in a file it could be modified. Copy Fail reportedly works consistently across distributions without relying on a race condition or write-position constraints. How severe is CVE-2026-31431? Any local user on a system running a vulnerable kernel can exploit this flaw to gain root access. The exploit uses kernel features that are enabled by default on most distributions and does not require special privileges or configuration. The highest risk environments are those where multiple users or workloads share a Linux kernel: cloud and multi-tenant systems, container clusters and CI/CD pipelines that run untrusted code. Because the exploit targets the kernel's shared file cache, it can also cross container boundaries. On single-user systems, the risk is lower since an attacker would already need local access. Which Linux distributions are affected? Any Linux distribution shipping kernel 4.14 or later is affected. The vulnerability was introduced in 2017 and persisted across nearly a decade of kernel releases. Distribution patch status as of April 30: Distribution Patch Status Ubuntu Patching SUSE Patching Red Hat Patching Debian Vulnerable Amazon Linux Vulnerable Arch Linux Patched Is there a proof-of-concept (PoC) available? Yes. A public PoC was released on GitHub alongside the disclosure. The exploit is a short Python script that modifies a privileged binary in memory and then executes it to obtain root. It is reported to work reliably without requiring multiple attempts or precise timing. Are there other vulnerabilities related to Copy Fail? According to Theori, the same research effort that uncovered Copy Fail found additional security flaws in the kernel, at least one of which is also a privilege escalation issue. Those findings remain under coordinated disclosure. This blog will be updated if and when additional information becomes available. Are patches or mitigations available? Patched kernel versions have been released: Affected Kernel Version Range Fixed Kernel Version 4.14 N/A 5.10.* 5.10.254 5.15.* 5.15.204 6.1.* 6.1.170 6.6.* 6.6.137 6.12.* 6.12.85 6.18.* 6.18.22 6.19.12 6.19.12 >7.0 7.0 The fix removes the 2017 optimization that allowed the vulnerability, restoring a safer separation between read and write operations in the kernel's crypto interface. For systems where an immediate kernel update is not feasible, two workarounds are available depending on kernel configuration. If the module is loaded dynamically (CONFIG_CRYPTO_USER_API_AEAD=m): echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf rmmod algif_aead 2>/dev/null || true If the module is compiled into the kernel (CONFIG_CRYPTO_USER_API_AEAD=y), which is the case on some enterprise kernels, the above will not work. Contributors on the oss-security mailing list have reported that adding the following to the kernel boot parameters and rebooting blocks the exploit: initcall_blacklist=algif_aead_init Discussion on the oss-security mailing list has also identified several userspace applications that use the affected kernel interface, including but not limited to, cryptsetup and firefox-esr. In practice, initial testing by contributors on the thread has not caused these applications to fail, but the impact may vary by workload. Testing in a non-production environment before deploying either workaround is advisable. Historical exploitation of Linux kernel vulnerabilities The Linux kernel has a long history as a target for privilege escalation attacks. CISA's KEV catalog contains over 20 entries for Linux kernel flaws, including the two flaws most commonly compared to Copy Fail: CVE Description Date Added to KEV Known Ransomware Use CVE-2016-5195 Linux Kernel Race Condition (Dirty Cow) 2022-03-03 Unknown CVE-2022-0847 Linux Kernel Improper Initialization (Dirty Pipe) 2022-04-25 Unknown As of April 30, CVE-2026-31431 is not listed in the KEV catalog. Has Tenable Research classified this as part of Vulnerability Watch? Yes, we classified CVE-2026-31431 as a Vulnerability of Interest under Vulnerability Watch due to the availability of a public proof-of-concept exploit and historical exploitation of similar Linux kernel vulnerabilities like Dirty Cow and Dirty Pipe that were exploited in the wild. Has Tenable released any product coverage for this vulnerability? A list of Tenable plugins for this vulnerability can be found on the CVE-2026-31431 page as they're released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline. Get more information Copy Fail Advisory Xint Code Blog: Copy Fail Linux Distributions The Register: Linux Cryptographic Code Flaw oss-security: CVE-2026-31431 Disclosure Join Tenable's Research Special Operations (RSO) Team on the Tenable Community. Learn more about Tenable One, the Exposure Management Platform for the modern attack surface. Satnam Narang Senior Staff Research Engineer, Security Response Satnam joined Tenable in 2018. He has over 15 years experience in the industry (M86 Security and Symantec). He contributed to the Anti-Phishing Working Group, helped develop a Social Networking Guide for the National Cyber Security Alliance, uncovered a huge spam botnet on Twitter and was the first to report on spam bots on Tinder. He's appeared on NBC Nightly News, Entertainment Tonight, Bloomberg West, and the Why Oh Why podcast. Interests outside of work: Satnam writes poetry and makes hip-hop music. He enjoys live music, spending time with his three nieces, football and basketball, Bollywood movies and music and Grogu (Baby Yoda). Related articles May 1, 2026 Vulnerability remediation: Match CVEs to asset owners in seconds with Tenable Hexa AI Detecting a vulnerability is easy. Finding the person responsible for fixing it is where remediation programs often break down. See how Tenable Hexa AI uses MCP to connect your exposure data to your identity provider — automating the hunt for asset owners in seconds. Sean Jennings April 30, 2026 Bridging the gap: How to integrate Claude Security into the Tenable One Exposure Management Platform Bridge the gap between AI-driven vulnerability discovery and prioritized remediation. Learn how to integrate Claude Security’s deep-logic analysis into Tenable One to unify your attack surface, eliminate noise, and focus on the risks that matter most. Liat Hayun April 29, 2026 Mastering agentic AI security through exposure management As AI tools evolve from siloed chatbots to autonomous, hyperconnected systems, they create a vast new attack surface. Discover how to manage this risk by focusing on visibility, agency, and semantic security to protect your organization’s increasingly complex landscape of agentic AI systems. Tomer Y. Avni Exposure Management Vulnerability Management Tenable Lumin Tenable Nessus Tenable Nessus Network Monitor Tenable One Tenable Patch Management Tenable Security Center Tenable Security Center Plus Tenable Vulnerability Management Cybersecurity news you can use Enter your email and never miss timely alerts and security guidance from the experts at Tenable. Email Address Submit