Listen to this Post

Introduction
A logic flaw introduced in a kernel optimization eight years ago—CVE‑2026‑31431, dubbed “Copy Fail”—has remained exploitable across virtually every Linux distribution, requiring neither a race condition nor per‑distribution tuning. The attack, which leverages the kernel’s crypto API (AF_ALG) and the `splice()` system call to perform a controlled 4-byte write into the page cache of any readable file, transforms a low‑privileged user account into a full root shell in a single shot.
Learning Objectives
- Understand the technical chain of the Copy Fail vulnerability: `AF_ALG` + `splice()` → page‑cache corruption → setuid binary hijack.
- Identify affected Linux distributions, kernels (4.14–6.18), and high‑risk environments such as Kubernetes, CI/CD runners, and multi‑tenant hosts.
- Apply immediate mitigation (disable
algif_aead) and patch management strategies, including permanent fixes, seccomp policies, and detection techniques. - Recognize the limitations of traditional file integrity monitoring against transient page‑cache corruption.
You Should Know
- How a 732‑Byte Python Script Roots a System (And Why It Works on Almost Every Linux)
Copy Fail stems from an in‑place optimization added to `algif_aead.c` in 2017 (commit 72548b093ee3). When the kernel processes an AEAD decryption request via an `AF_ALG` socket, the `authencesn` template writes 4 bytes past the intended output region. If the source data comes from the page cache via splice(), those 4 bytes land directly on a cached file page—bypassing VFS, leaving the disk untouched, and never marking the page dirty.
The public PoC, only 732 bytes of Python, hardcodes no offsets and requires no per‑distribution tuning. The default target is /usr/bin/su, but any setuid‑root binary (e.g., passwd, chsh, mount, sudo) works. The script writes 4 attacker‑chosen bytes into the page‑cached copy of the binary; the next time the binary is executed, it grants a root shell.
Key properties that distinguish Copy Fail from classic LPEs:
– No race condition (straight‑line code)
– No per‑distro offsets or version checks
– 100% reliability in a single attempt
– Affects a 9‑year window (2017 → 2026)
Hands‑on: Verify Exposure (Safe, Passive Checks)
The following commands assess whether your system is within the vulnerable range. Do not run the exploit on production systems.
1. Check kernel version (vulnerable range: 4.14 ≤ version < 6.18.22) uname -r <ol> <li>Check if the algif_aead module is loadable or loaded modinfo algif_aead | grep -E "filename|depends" lsmod | grep algif_aead</p></li> <li><p>Detect existing AF_ALG sockets (indicates potential use) lsof | grep AF_ALG ss -xa | grep alg
- Linux (Debian/Ubuntu/RHEL‑family):
`grep -i “alg” /proc/net/protocols` – look for entries with `alg` protocol.
2. Immediate Mitigation: Disabling the AF_ALG Attack Surface
Until a patched kernel is installed, disabling the vulnerable `algif_aead` module is the recommended temporary mitigation. The module is not required for most production workloads (dm‑crypt, LUKS, kTLS, IPsec, OpenSSL default builds, SSH are unaffected).
Step‑by‑Step: Disable `algif_aead` (All Linux Distributions)
- Create the modprobe blacklist configuration (persistent across reboots):
echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif.conf
2. Unload the module if already loaded:
sudo rmmod algif_aead 2>/dev/null || true
3. Verify the module is no longer available:
lsmod | grep algif_aead modprobe --show-config | grep algif_aead
- Test that the mitigation does not break critical applications (optional but recommended):
– For OpenSSL: ensure the `afalg` engine is not explicitly enabled (default is no-afalgeng).
– Check for processes using `AF_ALG` sockets: sudo lsof | grep AF_ALG.
- Reboot to confirm persistence – the module should remain disabled on startup.
Note: On kernels where `CONFIG_CRYPTO_USER_API_AEAD` is built‑in (not as a module), this mitigation does not work. In that case, the only fix is a kernel update or a seccomp policy that blocks `AF_ALG` socket creation.
- Hardening Containers and CI/CD Environments Against Page‑Cache Attacks
Because the page cache is shared between the host and its containers, unauthorised code running inside a pod can corrupt a setuid binary in the host page cache and escape the container. This makes Copy Fail a container‑escape primitive, not just a local privilege escalation. The same risk applies to GitHub Actions self‑hosted runners, GitLab runners, and any CI system that executes untrusted PR code on a shared kernel.
Seccomp Policy to Block `AF_ALG` Socket Creation
A seccomp profile that denies the `socket()` system call with `AF_ALG` family (40) stops the attack at the source. Below is a minimal policy for Docker/containerd.
Docker daemon configuration (`/etc/docker/daemon.json`):
{
"seccomp-profile": "/path/to/afalg-block.json"
}
Example seccomp policy (afalg-block.json) – block `socket` with AF_ALG:
{
"defaultAction": "SCMP_ACT_ALLOW",
"architectures": ["SCMP_ARCH_X86_64", "SCMP_ARCH_AARCH64"],
"syscalls": [
{
"names": ["socket"],
"action": "SCMP_ACT_ALLOW",
"args": [
{
"index": 0,
"value": 40,
"op": "SCMP_CMP_NE"
}
]
}
]
}
Apply to a container:
docker run --security-opt seccomp=afalg-block.json your-image
Kubernetes: Use a pod‑security‑standard (restricted) profile that enforces seccomp, or deploy a mutating admission webhook to inject the policy. The open‑source `algif_aead` remediator DaemonSet automatically blocks the module on cluster nodes.
Checklist for CI/CD Hardening
- ✅ Patch runner kernels to the earliest possible fix (≥ 6.18.22, ≥ 6.19.12, or ≥ 7.0).
- ✅ If patching is impossible, disable the `algif_aead` module on runner host images.
- ✅ Isolate untrusted PR workloads in ephemeral VMs (e.g., GitHub larger runners) instead of shared‑kernel containers.
- ✅ Monitor runner logs for `AF_ALG` socket creation attempts.
- Why Traditional File Integrity Monitoring (FIM) Cannot Be Trusted
Standard FIM tools (AIDE, Tripwire, `sha256sum` baselines) read files via read(), which goes through the page cache—the same path `execve` uses. During the attack window, the cached copy is corrupted, so the hash differs from the baseline. However, because the corruption never touches the disk, three things happen:
- The disk image remains unmodified; an offline forensic image shows the original, safe file.
- Dropping caches (
echo 3 > /proc/sys/vm/drop_caches) or a reboot evicts the corrupted page, reloading the clean file from disk. - After eviction, the hash matches again, and there is no persistent evidence of the compromise.
Detection workaround: Run integrity scanners on a read‑only mount or from a different mount namespace to force a cache‑bypassing read. Alternatively, enable IMA appraisal in enforcing mode with ima_policy=measure. IMA measures the file at `execve` time, before the corrupted binary runs.
Example: Force a Cache‑Bypassing Check with `dd`
Flush the kernel page cache for the target file sudo dd if=/target/file of=/dev/null bs=1M iflag=nocache Then run your integrity tool sha256sum /target/file
For production, script periodic checks with `iflag=direct` or use `cat /proc/sys/vm/drop_caches` (requires root) before scanning.
5. Permanent Fixes: Patching and Vendor Status
The upstream fix is mainline commit a664bf3d603d, which reverts the 2017 in‑place optimization. All kernels built since 2017 up to the following fixed versions are vulnerable.
| Fixed Kernel Version | Notes |
|-|-|
| ≥ 6.18.22 | First stable branch fix |
| ≥ 6.19.12 | |
| ≥ 7.0 | Mainline commit `a664bf3d603d` |
Check if Your Kernel is Fixed
Compare your kernel version against the fixed versions uname -r Example output: 6.12.0-124.45.1.el10_1 → vulnerable (below all fixed versions)
Vendor status (as of April 30, 2026) – no distribution had yet shipped a fully patched kernel package. CERT‑EU strongly recommended applying the interim mitigation immediately, prioritising Kubernetes nodes and CI/CD runners exposed to untrusted workloads.
Patch Application Steps
1. Subscribe to your distribution’s security bulletin.
- As soon as a patched kernel package is available, update:
Debian/Ubuntu sudo apt update && sudo apt upgrade linux-image-$(uname -r) RHEL/Fedora sudo dnf update kernel SUSE sudo zypper patch
3. Reboot into the new kernel and verify:
uname -r Confirm version ≥ fixed threshold
4. Remove the temporary modprobe mitigation once the patched kernel is running.
6. Exploit Detection and IOCs (Indicators of Compromise)
Copy Fail leaves no permanent artifacts on disk, but during the attack window, several observable signals appear:
- Unusual `AF_ALG` socket activity: Monitor `lsof | grep AF_ALG` and
ss -xa | grep alg. - Race condition in kernel logs (rare): The exploit triggers the `-EBADMSG` error path in
authencesn_decrypt(). Look for `algif_aead:` or `cryptd:` messages. - Page‑cache integrity mismatches: If you have a running FIM baseline, a full file read (e.g.,
cat /usr/bin/su > /dev/null) will temporarily show a changed hash.
Example: Passive Detection Script (Safe)
The following Python snippet checks for the presence of the vulnerable `algif_aead` path without triggering the bug:
import os
import socket
import errno
def is_afalg_accessible():
try:
s = socket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET, 0)
s.bind(('aead', 'authencesn(hmac(sha256),cbc(aes))'))
return True
except PermissionError:
return False blocked by seccomp or capability
except OSError as e:
if e.errno == errno.ENOENT:
return False algorithm not supported
raise
if <strong>name</strong> == "<strong>main</strong>":
print("AF_ALG accessible:", is_afalg_accessible())
For production monitoring, integrate a SIEM rule that alerts whenever a non‑privileged process creates an `AF_ALG` socket, especially on CI runners or container hosts.
What Undercode Say
- The era of “race‑dependent LPE” is ending. Copy Fail demonstrates that deterministic, one‑shot exploits are becoming the new norm. Defences must evolve from probabilistic mitigations (e.g., KASLR, opportunistic checks) to architectural isolation.
- Page‑cache attacks are the next frontier. Traditional FIM is nearly useless against transient in‑memory corruption. Organisations should invest in IMA, auditd, and eBPF‑based runtime detection that monitors `execve` paths, not just disk hashes.
- Containers do not imply isolation. The shared page cache breaks one of the key assumptions behind container security. Runtime policies (seccomp, AppArmor, LSMs) are not optional; they are mandatory for multi‑tenant clusters. A single unpatched node puts all tenants at risk.
Prediction
Copy Fail will likely be weaponised by ransomware groups and APTs within weeks, especially against CI/CD pipelines and managed Kubernetes services. Because the attack leaves no disk forensic evidence, incident responders will struggle to distinguish a clean system from a post‑exploit roothold. Providers that fail to rapidly backport the fix will face critical‑severity breaches. In the long term, this vulnerability will drive mainstream adoption of seccomp‑by‑default and immutable infrastructure, where even a root compromise is ephemeral and cannot persist across reboots.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Lorentzmichael A%C3%AFe – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


