Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years

CVE-2026-31431 (Copy Fail) is a critical deterministic local privilege escalation vulnerability in the Linux kernel's cryptographic subsystem, specifically the algif_aead module of the AF_ALG interface. Affecting kernels 4.14–6.19.12 (all major distros since 2017), it allows an unprivileged attacker to write four controlled bytes into the kernel's file page cache, corrupting in-memory copies of setuid binaries like sudo without touching disk files — bypassing integrity monitoring entirely. A single 732-byte Python script exploits it reliably on the first attempt with no race conditions or kernel offsets needed. The flaw enables container escapes, multi-tenant host takeovers, and CI/CD pipeline compromise. The fix is a kernel patch reverting the 2017 in-place optimization; interim mitigation involves disabling the algif_aead module via modprobe.