CVE-2026-31431, dubbed 'Copy Fail', is a Linux kernel vulnerability (affecting kernels 4.14+) in the AF_ALG crypto subsystem. A 2017 performance patch introduced in-place AEAD cipher operations that inadvertently allowed file-backed page cache pages to be used as output buffers. An unprivileged local user can exploit this via splice() and AF_ALG sockets to write controlled bytes into the page cache of privileged files like setuid binaries or /etc/passwd — without modifying the file on disk — ultimately gaining root access. A 732-byte Python PoC was demonstrated across multiple Linux distributions. The fix reverts the 2017 optimization. Mitigations include disabling the AF_ALG AEAD module or blocking AF_ALG sockets via seccomp.
Table of contents
Linux page cacheAF_ALG Crypto Interface2017 Performance optimizationHow “Copy Fail” OccursSimple Example of ExploitationSort: