CVE-2026-31431 – CopyFail
Debian, Ubuntu, and AlmaLinux have now released patched kernels. The table and distro blocks below have been updated accordingly. If you applied the mitigation (disable-algif-aead.conf), you can remove it after updating your kernel and rebooting.
Red Hat has released kernel updates for RHEL 8, 9, and 10. Rocky Linux follows via the same upstream packages. Fedora patches are available in the repositories. Distro table and blocks updated accordingly.
Since 2017, a vulnerability has been lurking in the Linux kernel that allows a local attacker without any privileges to write 4 bytes to arbitrary readable files. That sounds like a small thing – but it's enough for a full privilege escalation. The vulnerability was disclosed on April 29, 2026 under the name CopyFail (CVE-2026-31431).
This article explains what's happening, which systems are affected, and what the instant fix looks like on every major distribution.
What's Going On?
The problem lies in three components that together produce unexpected behavior:
- AF_ALG socket: An interface that allows userspace programs to access kernel crypto functions directly.
- splice() syscall: Transfers file cache pages directly into a scatterlist structure inside the kernel.
- authencesn algorithm: During in-place AEAD operations, writes 4 bytes to a location outside the intended output buffer – directly into the page cache.
A commit from 2017 (72548b093ee3) introduced this in-place optimization. The fix (a664bf3d603d) reverts AEAD operations back to out-of-place mode and cleanly separates source and destination scatterlists.
AF_ALG socket combined with splice() to write a controlled 4-byte value into the page cache. This is sufficient to tamper with setuid binaries or configuration files.
Am I Affected?
All kernels from version 4.14 up to and including 6.18.21 and 6.19.11 are vulnerable. This covers practically every production Linux installation from the past several years.
| Distribution | Affected Kernels | Patched Version |
|---|---|---|
| Debian 12 (Bookworm) | 6.1.x |
6.1.170-1 ✓ (Security repo, since 2026-05-01) |
| Ubuntu 22.04 LTS | 5.15.x / 6.5.x |
Patch available via apt upgrade (since 2026-04-30) |
| Ubuntu 24.04 LTS | 6.8.x |
Patch pending — patched package not yet in noble-updates/noble-security |
| Proxmox VE 8 | 6.8.x / 6.17.x |
Patch available via Debian Bookworm Security repo |
| RHEL 8 / Rocky 8 | 4.18.x |
4.18.0-553.123.1 ✓ (May 2026) |
| RHEL 9 / Rocky 9 / AlmaLinux 9 | 5.14.x |
5.14.0-611.54.1 ✓ (May 2026) |
| RHEL 10 / AlmaLinux 10 | 6.12.x |
6.12.0-124.55.1 ✓ (May 2026) |
| Fedora 40 / 41 | 6.11.x – 6.12.x |
Patch available in Fedora repositories ✓ |
| Arch Linux | Rolling, kernel < 6.18.22 | linux 6.18.22+ (Rolling) |
| Mainline | < 6.18.22 / < 6.19.12 | 6.18.22, 6.19.12, 7.0+ |
Quick check on any system:
# Show kernel version uname -r # Is the module already loaded? lsmod | grep algif_aead
algif_aead does not appear in lsmod output, the module is not currently active. However, it can be loaded on-demand at any time – by an application using AF_ALG with AEAD. The instant fix prevents exactly that.
Instant Fix (All Distros)
Until a patched kernel is available, the following measure prevents the vulnerable module from being loaded. It is distribution-independent and takes effect immediately:
# Block the module permanently echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf # Unload the module if it's already loaded rmmod algif_aead 2>/dev/null || true # Verify cat /etc/modprobe.d/disable-algif-aead.conf
Roll out to multiple servers at once (example using SSH config aliases):
# Deploy to all servers in parallel for host in server1 server2 server3; do ssh "$host" 'echo "install algif_aead /bin/false" \ > /etc/modprobe.d/disable-algif-aead.conf \ && echo "OK: $HOSTNAME"' & done wait
Distro-Specific Notes
6.1.170-1 · available since 2026-05-01Patch is available in the Debian Security repository (DSA published):
apt update && apt upgrade linux-image-$(uname -r) # After reboot, remove the mitigation: rm /etc/modprobe.d/disable-algif-aead.conf
Track status: security-tracker.debian.org
apt update && apt upgrade linux-image-$(uname -r) # After reboot and kernel update: rm /etc/modprobe.d/disable-algif-aead.conf
noble-updates or noble-security. Ubuntu delivers kernel security fixes as a new package with an incremented version number (e.g. 6.8.0-112) — that package is currently missing. Until then, the modprobe.d mitigation remains the only effective measure.
apt update && apt upgrade pve-kernel-$(uname -r) # Or use the Proxmox upgrade tool: pveupgrade
Status: Proxmox Forum · Roadmap
4.18.0-553.123.1 · RHEL 9: 5.14.0-611.54.1 · RHEL 10: 6.12.0-124.55.1dnf update kernel # After reboot: rm /etc/modprobe.d/disable-algif-aead.conf
Status: Red Hat Security Advisory
pacman -Syu linux linux-headers # After reboot, remove the mitigation: rm /etc/modprobe.d/disable-algif-aead.conf
dnf update kernel # After reboot: rm /etc/modprobe.d/disable-algif-aead.conf
After the Kernel Update
Once a patched kernel is installed and the system has been rebooted, the temporary block must be removed – so that legitimate applications using AF_ALG AEAD continue to work:
# Verify the new kernel version uname -r # Remove the mitigation (only once the kernel is patched!) rm /etc/modprobe.d/disable-algif-aead.conf # The module block is now lifted
Sources & Further Reading
- copy.fail – Official disclosure page
- xint.io – CopyFail: Affected Linux Distributions
- oss-security mailing list – Full Disclosure
- Ubuntu Security Blog – Fixes available
- Debian Security Tracker – CVE-2026-31431
- AlmaLinux Blog – Copy Fail Patches Released
- Microsoft Security Blog – CVE-2026-31431 in Cloud Environments
- CERT-EU Security Advisory 2026-005