CVE-2026-31431 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2026-04-22

Added to CISA KEV: 2026-05-01 9 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs for suspicious local privilege escalation attempts, verify system integrity, and check for unauthorized local access
Apply kernel updates immediately to affected Linux systems (versions 4.14 through unpatched 6.19.x)
Monitor for unusual crypto API usage patterns and local privilege escalation attempts
Highest priority for systems with multiple users or potential local access vectors
Review access controls and user privilege separation on affected systems

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2026-31431, widely referred to as "Copy Fail," is a high-severity security vulnerability in the Linux kernel that allows for unauthorized privilege escalation to root ^[1].

Overview and Impact

Vulnerability Type: The flaw exists in the Linux kernel's `algif_aead` cryptographic algorithm interface ^[3]. It is caused by an incorrect in-place operation that leads to memory corruption or improper handling of data, which can be leveraged to escalate privileges ^[3].
Impact: Successful exploitation provides an attacker with root-level access to the affected system ^[1]. This is particularly critical for cloud environments and containerized workloads (e.g., Kubernetes), where such access can lead to widespread compromise ^[1].

Exploitation and Threat Landscape

Active Exploitation: As of early May 2026, reports indicated that a working exploit was already available and being used in the wild ^[1].
Exploit Availability: The vulnerability has been described as "trivially exploitable," and proof-of-concept code or exploit methods have circulated within the security community ^[2].
Usage: While it is a potent tool for privilege escalation, it is primarily associated with enabling deeper access once an initial foothold is gained, making it a significant concern for both targeted attacks and potential inclusion in automated exploit kits used in broader campaigns ^[1].

Affected Systems and Mitigation

Affected Versions: The vulnerability impacts a vast range of Linux distributions released over the past nine years, as the underlying logic bug was present in the kernel for an extended period ^[2].
Patch Status: The issue was resolved in the Linux kernel by reverting the problematic change to the `algif_aead` interface, forcing it to operate out-of-place ^[5].
Remediation: Organizations are strongly advised to apply the latest kernel security updates provided by their respective Linux distribution vendors (e.g., Red Hat, Debian, Amazon Linux) as soon as possible ^[4] ^[6] ^[7].

Sources

CVE-2026-31431: Copy Fail vulnerability enables Linux root privilege ...
A high-severity Linux vulnerability, “Copy Fail” (CVE-2026-31431), enables root privilege escalation across cloud environments and Kubernetes workloads. With a working exploit already in the wild, organizations should act quickly to detect, mitigate, and reduce risk. ... This vulnerability allows un…
Copy Fail (CVE-2026-31431) is a trivially exploitable logic bug in ...
Copy Fail (CVE-2026-31431) is a trivially exploitable logic bug in Linux, reachable on all major distros released in the last 9 years. A small, ...
CVE-2026-31431 - Red Hat Customer Portal
Description. A flaw was found in the Linux kernel's algif_aead cryptographic algorithm interface. An incorrect in-place operation causes source ...
RHSB-2026-002 Cryptographic Subsystem Privilege Escalation - Linux ...
RHSB-2026-002 Cryptographic Subsystem Privilege Escalation - Linux Kernel (CVE-2026-31431) - Copy Fail Public Date: April 21, 2026 at 05:00 PM Updated May 13, 2026 at 09:18 AM Resolved Status Important Impact Executive summary Mitigations Product Specific Mitigation Steps Remediation Timeline…
CVE-2026-31431 Detail - NVD
Description. In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This ... CVE-2026-31431 Detail Description In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place…
CVE-2026-31431 - Amazon Linux Security Center
In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place ... In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place To mitigate this issue, we recommend that ...
CVE-2026-31431 - security-tracker.debian.org
Vulnerable and fixed packages The table below lists information on source packages. ... Name, CVE-2026-31431. Description, In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place ...