CVE-2026-31431 Copy Fail: Defend Your Linux Systems from the Most Severe Kernel Bug of 2026

Disclaimer: This article is for educational and defensive security purposes only. The commands shown are standard, vendor-documented mitigations for system administrators responsible for their own infrastructure. Do not run privilege-escalation exploits against systems you do not own or have explicit written permission to test.

On May 1, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-31431 — nicknamed "Copy Fail" — to its Known Exploited Vulnerabilities catalog. Within 72 hours, working proof-of-concept exploits were circulating publicly. A single 732-byte Python script can hand any unprivileged local user full root on virtually every Linux distribution shipped since 2017.

I spent most of May 2 patching this across our Hostinger VPS fleet. In my experience running 7 aggregator sites at Warung Digital Teknologi — all sitting on Ubuntu 22.04 LTS VPS instances behind Cloudflare — the patch itself was straightforward. The hard part was confirming the mitigation actually did something, because the most-shared workaround on Twitter turned out to be a placebo on every kernel I checked. This guide walks through what I learned, what verifiably works, and what to do if your distro has not yet shipped a patched kernel.

What Copy Fail Actually Is

Copy Fail is a deterministic logic flaw in the Linux kernel's cryptographic subsystem — specifically the algif_aead module inside the AF_ALG userspace crypto API. The bug originated from an in-place optimization committed in 2017 (commit 72548b093ee3) for Authenticated Encryption with Associated Data (AEAD).

Here is the simplified mechanic, per the Microsoft Security Research Center disclosure: when the authencesn(hmac(sha256),cbc(aes)) algorithm runs, it writes 4 bytes at offset assoclen + cryptlen as scratch space for Extended Sequence Number handling. If the buffer was spliced from a file's page cache, that 4-byte write lands inside the cached file — bypassing standard file permission checks.

The attacker chains this into root by targeting a setuid binary like /usr/bin/sudo or /usr/bin/passwd. Modify the cached copy, execute the binary, and the kernel runs your patched bytes with the binary's setuid privileges. Xint researchers demonstrated a working exploit in 732 bytes of Python — no race conditions, no timing windows, no crash. Just a clean, repeatable LPE.

Who Is Affected

The vulnerability has a CVSS score of 7.8 (High). The attack vector is local: an attacker needs an existing low-privileged shell on the system. That sounds limiting, but in 2026 the threat model has shifted. Compromised CI/CD runners, malicious npm or PyPI packages, exploited web applications, and shared hosting environments all hand attackers low-privileged shells routinely. Copy Fail turns any of those footholds into root in under a minute.

Confirmed vulnerable distributions, per Red Hat's RHSB-2026-002 advisory and Ubuntu's USN release notes:

• Ubuntu 20.04, 22.04, and 24.04 LTS
• Red Hat Enterprise Linux 8, 9, and 10.1
• Amazon Linux 2 and 2023
• SUSE Linux Enterprise 15 SP6 and 16
• Debian 11, 12, and 13
• Fedora 39, 40, and 41
• Arch Linux kernels prior to 6.13.7
• Most Kubernetes node images (EKS, GKE, AKS) shipped before May 1, 2026

If your kernel was compiled with CONFIG_CRYPTO_USER_API_AEAD=y — which is the default on every mainstream distribution I checked — you are affected. Across 7 VPS instances on Hostinger, all running stock Ubuntu 22.04 LTS, I confirmed every single one was vulnerable on first inspection.

Step 1: Check If You Are Vulnerable

Before mitigating anything, run these two commands as a normal user (no sudo needed):

# Check kernel version
uname -r

# Check if the affected module is loaded or built in
grep -qE '^algif_aead ' /proc/modules && echo "Module loaded (vulnerable if unpatched)" || echo "Module not in /proc/modules"

# Check if AF_ALG sockets are accessible
ls -la /proc/crypto | head -3

If /proc/modules does not list algif_aead, do not relax yet. On most modern distros the cryptographic API is compiled directly into the kernel (=y not =m), which means it is always available and cannot be unloaded with rmmod. To confirm, check your kernel config:

zcat /proc/config.gz 2>/dev/null | grep CRYPTO_USER_API_AEAD
# or
grep CRYPTO_USER_API_AEAD /boot/config-$(uname -r)

If you see CONFIG_CRYPTO_USER_API_AEAD=y, your kernel ships the vulnerable code path baked in. This is the case on stock Ubuntu, Debian, RHEL, Fedora, Amazon Linux, and most cloud-provider AMIs. From 11+ years evaluating Linux infrastructure across client projects — including hotel management systems on dedicated boxes and ERP installations on shared hosting — I have not encountered a single mainstream production setup where AF_ALG was compiled as a loadable module.

Step 2: Apply the Vendor Patch (Preferred)

The proper fix is a kernel update. Vendors began shipping patched kernels within hours of CISA's KEV listing. The fix reverts the 2017 in-place optimization, restoring a clean separation between read and write buffers in the AEAD path.

Ubuntu (per Canonical's advisory):

sudo apt update
sudo apt install --only-upgrade linux-image-generic linux-headers-generic
sudo reboot

Red Hat / CentOS / Rocky / AlmaLinux:

sudo dnf update kernel kernel-core kernel-modules
sudo reboot

Debian:

sudo apt update
sudo apt full-upgrade
sudo reboot

Amazon Linux 2023:

sudo dnf update kernel
sudo reboot

After rebooting, verify with uname -r against your distro's advisory. For Ubuntu 22.04, the patched kernel is 5.15.0-122 or later; for 24.04 it is 6.8.0-58 or later. For RHEL 9, look for 5.14.0-503.40.1.el9_5 or newer.

Across our 7-VPS Hostinger fleet, all running standard apt-managed kernels, the patch + reboot cycle averaged 4 minutes per box. Aggregator sites with daily import cron jobs running 100-200 records each saw zero data loss from the brief reboot window — but if you run anything stateful (queue workers, long-running imports, payment integrations), drain those processes first.

Step 3: Interim Mitigations If You Cannot Patch Immediately

Some shared hosting customers and Kubernetes cluster operators cannot reboot inside their patch SLA. For those scenarios, here is what actually works versus what does not.

The Placebo: modprobe.d Blacklisting

You will see this snippet circulated everywhere:

# DOES NOT WORK on most distros — see below
echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif.conf
sudo rmmod algif_aead 2>/dev/null || true

This command runs without error and gives a clean exit code. On every Hostinger VPS I tested, it did absolutely nothing. The reason, as I noted in Step 1: algif_aead is built into the kernel, not loaded as a module. modprobe.d rules only affect loadable modules. rmmod silently fails on built-in code. The system stays exposed, but you feel safer — which is worse than knowing you are vulnerable.

I would skip this command entirely. It is a false-positive trap for the next person who audits the system.

What Actually Works: Seccomp + AppArmor/SELinux

The reliable interim mitigation is to block AF_ALG socket creation at the syscall layer. Per Wiz's mitigation guide and CERT-EU's advisory 2026-005:

Option A — Docker/Podman seccomp profile. Add the following to your custom seccomp JSON for any untrusted container:

{
  "syscalls": [
    {
      "names": ["socket"],
      "action": "SCMP_ACT_ERRNO",
      "args": [
        {
          "index": 0,
          "value": 38,
          "op": "SCMP_CMP_EQ"
        }
      ]
    }
  ]
}

The value 38 is the numeric constant for AF_ALG. Apply with docker run --security-opt seccomp=copyfail-block.json ....

Option B — AppArmor (Ubuntu/Debian). Add to your service profile:

deny network alg,

Option C — SELinux (RHEL/Fedora). The algif_aead socket family is governed by crypto_socket_class_set. Restrict with:

setsebool -P deny_algif_aead 1

(This boolean was added in selinux-policy 38.1.51 shipped May 3, 2026.)

None of these mitigations affect dm-crypt/LUKS disk encryption, IPsec/XFRM, kTLS, OpenSSL, GnuTLS, NSS, or SSH. The userspace crypto API is genuinely only used by a small number of specialized applications. I checked our entire 50+ project stack — Laravel apps, Vue.js frontends, Flutter mobile backends, MySQL and PostgreSQL clusters — and found zero dependencies on AF_ALG. For 99% of production workloads, the seccomp block is invisible.

Step 4: Detect If You Have Already Been Exploited

The exploit is fast (sub-second) and leaves few obvious artifacts. But there are signals worth checking, especially on multi-tenant or shared systems:

1. Audit AF_ALG socket usage. Run lsof | grep AF_ALG. Legitimate users include systemd-cryptsetup, some VPN clients, and a handful of HSM utilities. Anything else — a web server process, a database, a random user shell — is suspect.
2. Check setuid binary integrity. Run debsums -c on Debian/Ubuntu or rpm -Va | grep '^..5' on RHEL/Fedora. Look specifically at /usr/bin/sudo, /usr/bin/passwd, /usr/bin/chsh, /usr/bin/su, and /usr/bin/mount. Mismatched hashes after a clean reboot are a red flag.
3. Review auth and sudo logs around your patch window. Successful exploitation typically appears as unexplained root command execution from a low-privileged UID. Check /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL).
4. If you run a cloud workload, review CSPM alerts. Major cloud providers added detection rules within 48 hours of disclosure. AWS GuardDuty's Discovery:Kubernetes/MaliciousIPCaller and Microsoft Defender for Cloud's SuspiciousAFAlgSocketActivity both flag exploit attempts.

What This Means for Home and Small-Office Users

Most CyberShieldTips readers are not running data center fleets. So how worried should you be on a personal Linux laptop or a single home server? My honest read:

If your Linux machine is a single-user system that you alone log into, the practical risk is low. Copy Fail requires an existing local shell. To exploit you, an attacker must first land code execution on your box — through a malicious package, a browser sandbox escape, or a compromised credential. If they already have that, you have bigger problems than this CVE.

However, you should still patch. The reasons:

• Future malware will chain Copy Fail with browser exploits and supply-chain attacks. What is "low risk in isolation" becomes "first step in a full compromise" once weaponized.
• If your home Linux box also runs Docker, virtual machines, or a guest user account — many setups I have configured for clients do — those are local-privilege contexts an attacker can land in without needing your password.
• The patch is free, takes 5 minutes, and breaks essentially nothing.

Run your package manager's update command, reboot, and move on. If you maintain a Raspberry Pi, a home NAS running Linux, or a Steam Deck (which runs Arch under the hood), apply pending updates today. Don't bother with elaborate isolation if you're a single home user — in our 7-blog operation we found that the patch-and-reboot path is faster, more reliable, and removes the vulnerability entirely.

Authoritative Sources to Bookmark

For ongoing tracking and verified mitigation guidance, refer to these primary sources rather than third-party summaries:

• NIST National Vulnerability Database — CVE-2026-31431 — authoritative CVSS score and references
• CISA Known Exploited Vulnerabilities Catalog — track active exploitation status
• Red Hat RHSB-2026-002 — kernel package matrix and detection scripts
• Ubuntu Security Notice — Copy Fail — patched kernel versions per release
• CERT-EU Advisory 2026-005 — verified mitigation steps

The Bottom Line

Copy Fail is severe because it is universal, deterministic, and trivial to weaponize. It is manageable because every major vendor shipped a patched kernel within 24 hours and the fix is a one-command update plus a reboot. Apply that patch. Skip the modprobe.d blacklist circulating on social media — it is a placebo on built-in kernel code. If you absolutely cannot reboot inside your SLA, deploy a seccomp profile or AppArmor/SELinux rule that blocks the AF_ALG socket family at the syscall layer.

And take this as a reminder: setuid binaries remain a load-bearing piece of the Linux privilege model. Bugs in any path that can write to their memory representation will keep appearing. The defensive posture that survives the next one is fast patching, layered isolation (containers, seccomp, MAC), and integrity monitoring of your critical executables. Get those three habits right and Copy Fail is a 5-minute Tuesday morning, not a weekend incident.

This article is for educational and defensive security purposes. Always test mitigations in a staging environment before applying to production. If your organization handles regulated data (PCI, HIPAA, GDPR) consult your compliance team before deferring patches.