Copy Fail – Linux Kernel Local Privilege Escalation (CVE-2026-31431)
Overview
Copy Fail - Linux Kernel Local Privilege Escalation, tracked as CVE-2026-31431, affects algif_aead handling in the Linux kernel crypto subsystem. The issue is a local privilege escalation risk: an attacker needs local access, but successful exploitation can lead to root-level impact.
Vulnerability Overview
CVE-2026-31431 is caused by incorrect resource transfer between different memory mappings in algif_aead. The upstream fix reverts in-place operation added by commit 72548b093ee3 and returns to out-of-place handling because the source and destination mappings should not be treated as the same resource.
The issue is commonly referred to as Copy Fail. Public technical writeups describe page-cache corruption behavior, but the defensive takeaway is simpler: affected kernels can allow a low-privilege local user to influence privileged execution paths through the vulnerable crypto interface.
Impact
The vulnerability is rated High with a CVSS 3.1 score of 7.8. Successful exploitation can allow local privilege escalation with high confidentiality, integrity, and availability impact.
CVE-2026-31431 is listed in CISA KEV, which indicates known exploitation and makes affected Linux systems a priority for patching.
Vulnerability Scope
Affected Linux kernel ranges include 4.14 through multiple stable branches before their fixed releases. Fixed branch versions identified in the CVE record include 5.10.254, 5.15.204, 6.1.170, 6.6.137, 6.12.85, 6.18.22, 6.19.12, and 7.0.
Distribution kernels may carry backported fixes, so administrators should check vendor security advisories and package changelogs rather than relying only on upstream version numbers.
Lab Focus
This Hackviser lab focuses on understanding how kernel crypto subsystem bugs can become local privilege escalation paths. You will practice identifying affected kernel branches, interpreting upstream stable fixes, and connecting local kernel exploitation risk to patch management and hardening.