CVE-2026-31431, codenamed "Copy Fail," CVSS 7.8, is a local privilege escalation (LPE) in the Linux kernel's cryptographic subsystem — now on CISA's KEV list and confirmed actively exploited. Microsoft Security, Palo Alto Unit 42, and Red Hat have issued advisories. The shock is scale: researchers demonstrated a 732-byte Python script that lets any unprivileged user become root on virtually every modern Linux distribution. For anyone running sites, APIs, or databases on a Linux VPS or cloud host — nearly every PHP / Laravel / Nginx shop — this is a host-level total-compromise bug.
In plain terms: the flaw lives in the kernel's algif_aead module (AF_ALG, the userspace crypto API). A 2017 in-place optimization (commit 72548b093ee3) for AEAD encryption mishandles memory. The chain is short: a local low-priv user triggers the mishandling via AF_ALG, gains kernel memory corruption, escalates to root. No user interaction, no special prerequisites — just code execution. The PoC is effectively public.
Scope, quantified: every distribution on kernel 4.13+ since 2017 — Ubuntu, Amazon Linux, RHEL, Debian, SUSE, AlmaLinux — millions of production machines. Timeline: flaw introduced 2017 → fix merged to mainline 2026-04-01 (commit a664bf3d603d) → distros rolled out → CISA added to KEV after in-the-wild exploitation. Why act within 24 hours? It breaks the trust assumption of any environment where outsiders can run code — once an attacker has a low-priv shell, they go straight to root.
Technical Details
Classification: LPE via kernel memory corruption in algif_aead. Low complexity, local low privilege, no interaction. Check and mitigate:
uname -r
lsmod | grep algif_aead
# Mitigation when you cannot reboot yet
echo "install algif_aead /bin/true" | sudo tee /etc/modprobe.d/disable-algif_aead.conf
sudo modprobe -r algif_aead 2>/dev/null || echo "module in use; reboot needed"
# Patch + reboot
sudo apt update && sudo apt upgrade -y # Debian/Ubuntu
# or: sudo dnf update kernel -y # RHEL/Alma/Rocky
sudo rebootFor most web hosts, algif_aead is not required; blocking it usually does not affect Nginx / PHP-FPM / MySQL — verify on staging first.
Immediate Actions
- Sysadmins: inventory kernel versions, schedule patch + reboot for everything on 4.13+. Where you cannot reboot, block
algif_aead. Prioritize multi-tenant and internet-facing hosts. - Developers: your web layer is the attacker's first shell. Audit Laravel for file-upload RCE,
unserializerisks, over-broadstoragepermissions; run PHP-FPM as non-privileged, setopen_basedir. - Agencies: send every managed client a notice with a maintenance window and fixed quote — turn passive risk into proactive service.
Patch vs Mitigation
| Situation | Action | Risk |
|---|---|---|
| Can reboot | Kernel update + reboot | Most complete; needs downtime |
| Cannot reboot now | modprobe -r + blacklist | Temporary; risk returns on reload |
| Module in use | Force reboot at nearest window | Exposed in transition |
| Multi-tenant | Top priority; isolate code-executors | Untreated = LPE anytime |
IOCs & Threat Intel
Indicators: unexpected loading of algif_aead; a normal user process spawning a uid=0 child; anomalous AF_ALG socket use; small suspiciously-named binaries appearing briefly. Use auditd to monitor socket(AF_ALG, ...) and alert on non-root processes spawning root shells (Falco rule). Post-root: persistence via cron / systemd, log clearing, lateral movement — cross-check last and /var/log/auth.log.
What They Won't Tell You
First, CVSS 7.8 understates the risk — as an LPE its danger is chaining with any web flaw, turning a read-only minor bug into full host takeover. Second, "I patched" is not safe — kernel updates require a reboot, and many teams run upgrade but never reboot. Third, blocking algif_aead breaks services that genuinely use AF_ALG; confirm first.
The Bigger Trend
A 2017 optimization detonating in 2026 shows historical kernel debt is being mined systematically, and the disclosure-to-exploitation window keeps shrinking. The kernel-LPE + web-RCE combo turns "server ops" from one-off delivery into a service that needs continuous watching.
My Take
Contrarian: for SMB clients agencies maintain, LPE is more dangerous than remote flaws, because the client almost certainly has a half-open web entry point. Attackers getting a low-priv shell is routine; Copy Fail amplifies a small breach into full compromise. ScriptWalker client-care: make "kernel vuln sweep + scheduled patching + reboot verification" a fixed part of a monthly retainer, and use this CVE to send a proactive client notice. Clients buy peace of mind that someone is watching their server.