SECURITY ALERT: "Copy Fail" Linux Kernel Local Privilege Escalation Vulnerability (CVE-2026-31431)

Product / Version includes:

TrendAI Vision One™ All

Last updated: 2026/05/02

Solution ID: KA-0023295

Category:

Summary

"Copy Fail" (CVE-2026-31431) is a local privilege escalation (LPE) vulnerability (CVSS 3.1: 7.8) in the Linux kernel that has been present since 2017. A logic flaw in the kernel's cryptographic subsystem — specifically the algif_aead module — allows an unprivileged local user to write four controlled bytes into the page cache of any readable file on a Linux system and use that to gain root.

The vulnerability is said to be able to be reliably triggered without a race condition or kernel offset, and can be used against most (if not all) popular Linux distributions.

Potential Impact

A local attacker (e.g. any user with shell access) could potentially escalate their privileges to root, allowing them to read sensitive data, install malware, modify system files or pivot to other systems.

Immediate Mitigation

Since this is a kernel-level vulnerability, the immediate recommendation is to check with your distribution maintainer to see if a kernel patch has been released and patch as soon as possible. Several major distributions such as Debian, SUSE and Ubuntu have already released patches.

You must update your Linux distributions to a kernel version that includes mainline commit a664bf3d603d. This commit reverts the faulty in-place optimization and permanently neutralizes the attack

If you cannot patch the system immediately, consider disabling the vulnerable module by blacklisting the algif_aead kernel module. This should not impact the vast majority of systems as the cryptography will fall back to standard userspace libraries.

In addition, consider blocking sockets in containers: for untrusted workloads, CI runners, or Kubernetes clusters, block AF_ALG socket creation using seccomp profiles regardless of your patch state.

As with any change of this sort, it is always recommended to apply in a test scenario before deploying to production.

TrendAI Platform Monitoring and Defenses

As information about this LPE vulnerability is still evolving, TrendAI is closely monitoring and will continue to update as more information becomes available.

TrendAI customers can use the following as it develops to monitor and look for suspicious activity:

TrendAI Vision One Container Security

TrendAI customers can manage and enforce the recommended seccomp profiles using the Container Security module to prevent attackers from using this flaw as a cross-container or cross-tenant escape primitive.

In addition, File Integrity Monitoring could be utilized to look for suspicious activity.

TrendAI Vision One XDR Threat Investigation

Monitor the Observed Attack Techniques (OAT) module for suspicious executions. Because the exploit typically targets setuid-root binaries (like /usr/bin/su or pkexec) to inject shellcode and open a root shell, any anomalous execution of these binaries by unprivileged users can trigger automated response actions.

TrendAI Vision One Vulnerability Management

Use the Cyber Risk Exposure Management (CREM) module to quickly discover and prioritize all Linux servers running vulnerable kernels compiled between 2017 and 2026.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

SECURITY ALERT: "Copy Fail" Linux Kernel Local Privilege Escalation Vulnerability (CVE-2026-31431)

Potential Impact

Immediate Mitigation

TrendAI Platform Monitoring and Defenses

SECURITY ALERT: "Copy Fail" Linux Kernel Local Privilege Escalation Vulnerability (CVE-2026-31431)

Product / Version includes:

Summary

Potential Impact

Immediate Mitigation

TrendAI Platform Monitoring and Defenses