Linux kernel vulnerability dubbed CVE-2026-31431 affects major distributions released since 2017

Researchers disclosed a Linux kernel local privilege-escalation vulnerability tracked as CVE-2026-31431 and referred to as “Copy Fail.”
Multiple reports say the vulnerability affects virtually all or nearly all major Linux distributions released since 2017.
The flaw allows an unprivileged local user to write four controlled bytes into the page cache of a readable file and use that capability to gain root privileges.
Sources describe the bug as a logic flaw in the Linux kernel’s cryptographic subsystem, including the algif_aead or related authenticated-encryption code path.
A public proof-of-concept exploit has been released, and several reports say it can work with a 732-byte Python script across tested distributions without race conditions or per-kernel customization.
The vulnerability is primarily a risk after an attacker already has local code execution or user-level access, because it can turn limited access into full administrative control.
Containerized and shared-kernel environments are highlighted as especially exposed because the page cache is shared, raising the possibility of impact beyond a single container or user context.
Kernel patches have been issued, but reports said at disclosure time that many Linux distributions had not yet shipped those fixes, leaving patch rollout as an immediate next step.

Researchers disclosed a Linux kernel local privilege-escalation vulnerability tracked as CVE-2026-31431 and referred to as “Copy Fail.”
Multiple reports say the vulnerability affects virtually all or nearly all major Linux distributions released since 2017.
The flaw allows an unprivileged local user to write four controlled bytes into the page cache of a readable file and use that capability to gain root privileges.
Sources describe the bug as a logic flaw in the Linux kernel’s cryptographic subsystem, including the algif_aead or related authenticated-encryption code path.
A public proof-of-concept exploit has been released, and several reports say it can work with a 732-byte Python script across tested distributions without race conditions or per-kernel customization.
The vulnerability is primarily a risk after an attacker already has local code execution or user-level access, because it can turn limited access into full administrative control.
Containerized and shared-kernel environments are highlighted as especially exposed because the page cache is shared, raising the possibility of impact beyond a single container or user context.
Kernel patches have been issued, but reports said at disclosure time that many Linux distributions had not yet shipped those fixes, leaving patch rollout as an immediate next step.