Urgent May Day Alert: CVE‑2026‑31431 Linux Kernel LPE & Container Escape
A high‑severity Linux kernel flaw (CVE‑2026‑31431, dubbed "Copy Fail") allows ordinary users to gain root privileges and escape containers via an AF_ALG and splice() optimization bug, affecting major distributions; the article details the vulnerability, exploitation steps, PoC, and mitigation guidance.
Core Vulnerability Information
2026‑04‑29 Theori disclosed Linux kernel vulnerability CVE‑2026‑31431 “Copy Fail”, a local privilege escalation and container‑escape flaw (CVSS 9.8).
Proof‑of‑concept source: https://github.com/theori-io/copy-fail-CVE-2026-31431
Affected Distributions and Kernels
Ubuntu 24.04 LTS (also 22.04) – kernel 6.17.0-1007-aws
Amazon Linux 2023 – kernel 6.18.8-9.213.amzn2023
RHEL 10.1 – kernel 6.12.0-124.45.1.el10_1
SUSE 16 – kernel 6.12.0-160000.9-default
Exploitation Conditions
Ordinary user privileges.
Kernel compiled with AF_ALG and authencesn modules.
splice() system call usable.
Presence of a setuid binary (e.g., /usr/bin/su).
Vulnerability Principle
The bug resides in the authencesn encryption template. The kernel optimization that chains AF_ALG with splice() mistakenly grants write permission to a page cache that should be read‑only. An attacker can write controlled bytes into the cache, corrupting setuid programs and gaining root.
Exploit Flow (minimal)
Create an AF_ALG socket bound to authencesn(hmac(sha256),cbc(aes)).
Use splice() to feed the page cache of a setuid binary (e.g., /usr/bin/su) into the encryption pipeline.
The in‑place kernel optimization links the read‑only page cache into a writable list.
Write four malicious bytes into the cache, altering the program’s logic.
Execute the tampered program to obtain a root shell.
Exploit Characteristics
Single‑script, near‑100 % success, no race conditions.
Modifies only page cache, not disk files, making detection difficult.
Can corrupt host cache from within a container, enabling container escape.
PoC is a 732‑byte Python script.
Demonstration
git clone https://github.com/theori-io/copy-fail-CVE-2026-31431.git
python copy_fail_exp.py
# id
# uname -r
# cat /etc/os-releaseOfficial Patches (preferred)
Ubuntu: kernel 6.17.0-1008-aws or newer.
RHEL: kernel 6.12.0-124.46.1.el10_1 or newer.
SUSE: kernel 6.12.0-160000.10-default or newer.
Amazon Linux: yum update kernel.
Temporary Workarounds
Disable the authencesn kernel module (requires reboot).
Restrict ordinary users from creating AF_ALG sockets.
Enable seccomp in containers to block splice() and AF_ALG.
Enable page‑cache integrity checks and kernel page‑table protection.
Verification
Check kernel version with uname -r.
Run the official detection script or the PoC; failure to gain privilege indicates the patch is effective.
Security Recommendations
Upgrade cloud VMs and physical servers within 12 hours and reboot.
For Kubernetes/Docker clusters, update node kernels first and harden container permissions.
Monitor abnormal splice() and AF_ALG calls and unexpected setuid program executions.
Integrate CVE‑2026‑31431 into vulnerability scanning and patch‑management processes.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Ops Development Stories
Maintained by a like‑minded team, covering both operations and development. Topics span Linux ops, DevOps toolchain, Kubernetes containerization, monitoring, log collection, network security, and Python or Go development. Team members: Qiao Ke, wanger, Dong Ge, Su Xin, Hua Zai, Zheng Ge, Teacher Xia.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.