SlowMist warning: The Linux Copy Fail vulnerability is extremely easy to exploit; it’s recommended to upgrade the kernel as soon as possible.

Linux Copy Fail漏洞

According to SlowMist’s Chief Information Security Officer 23pds, who posted on X on April 30, a logic vulnerability named “Copy Fail” (CVE-2026-31431) was found in Linux systems. It is highly exploitable, and SlowMist advises users to quickly upgrade the kernel.

Basic Vulnerability Information and Affected Scope

According to a technical report dated April 29 by the Xint Code research team, CVE-2026-31431 is a logic vulnerability in the Linux kernel’s authenticated encryption with associated data (AEAD) template algif_aead.c. By chaining calls using the AF_ALG + splice() functions, it allows non-privileged local users to perform deterministic controlled 4-byte writes to the page cache of arbitrary system-readable files, and then obtain root privileges by corrupting setuid binary executables.

According to the Xint Code report, tested and confirmed affected distributions and kernel versions include:

Ubuntu 24.04 LTS: kernel 6.17.0-1007-aws

Amazon Linux 2023: kernel 6.18.8-9.213.amzn2023

RHEL 10.1: kernel 6.12.0-124.45.1.el10_1

SUSE 16: kernel 6.12.0-160000.9-default

According to the Xint Code report, the root cause of this vulnerability is an in-place AEAD optimization introduced in 2017 in algif_aead.c (commit 72548b093ee3). This results in the splice()-sourced page cache pages being placed into a writable scattered list, which—together with the temporary write operations of the authenticsn AEAD wrapper—forms an exploitable path.

Coordinated Disclosure Timeline and Mitigation Measures

According to the timeline disclosed by Xint Code on April 29, CVE-2026-31431 was reported to the Linux kernel security team on March 23, 2026. A patch (a664bf3d603d) was completed for review on March 25, submitted to the mainline kernel on April 1, assigned the CVE on April 22, and publicly disclosed on April 29.

According to the Xint Code report, mitigation measures include: updating the distribution’s kernel software packages (mainstream distributions should release this patch through normal kernel updates). For immediate mitigation, you can prevent AF_ALG socket creation via seccomp, or execute the following command to add the algif_aead module to a blacklist: echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf.

According to the Xint Code report, this vulnerability also affects scenarios across container boundaries, because the page cache is shared by the host. Related impacts from Kubernetes container escape will be disclosed in the second part.

Frequently Asked Questions

What is the impact scope of CVE-2026-31431?

According to the April 29 report from Xint Code and the April 30 alert from SlowMist’s 23pds, CVE-2026-31431 affects nearly all mainstream Linux distributions released since 2017, including Ubuntu, Amazon Linux, RHEL, and SUSE. A 732-byte Python script can obtain root privileges without needing elevated privileges.

What is the temporary mitigation method for this vulnerability?

According to the April 29 report from Xint Code, it can be mitigated immediately by blocking AF_ALG socket creation via seccomp, or by running: echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf to add the algif_aead module to a blacklist.

When was the patch for CVE-2026-31431 released?

According to the disclosure timeline provided by Xint Code on April 29, the patch (a664bf3d603d) was submitted to the Linux mainline kernel on April 1, 2026. Mainstream distributions should release this patch via normal kernel software package updates.

Disclaimer: The information on this page may come from third-party sources and is for reference only. It does not represent the views or opinions of Gate and does not constitute any financial, investment, or legal advice. Virtual asset trading involves high risk. Please do not rely solely on the information on this page when making decisions. For details, see the Disclaimer.
Comment
0/400
No comments