Security researchers have revealed a serious vulnerability in the Linux kernel known as Copy Fail (CVE-2026-31431), which allows a local user with no privileges to write four controlled bytes in the cache of pages of any legible file and, thus, to cause the lifting of privileges to root. The failure lies in the logic of the cryptographic subsystem of the kernel, specifically in the module algif _ aead, and comes from a change in the code in August 2017, which means that many distributions have been exposed for years.
What differentiates Copy Fail from other failures is its simplicity and portability: the researchers demonstrated a Python explosion of just 732 bytes capable of injecting code into a setuid binary (for example, / usr / bin / su) and running it with administrator privileges. No remote explosion or complex career conditions are needed; the technique is based on how an AEAD operation through an AF _ ALG socket can end up writing a cache page at a destination that the controlled process can manipulate, and then use spin () to complete the cache in the target file.
From an operational perspective, this has critical implications for shared servers and container environments: page cache is a shared structure between processes, so a user confined to a container or a worker on a multi-user server can potentially affect binaries in the host system. Cloud suppliers and multi-level infrastructure managers should consider vulnerability as high risk to the integrity of isolated environments and deploy urgent mitigation.
The distribution maintenance teams have already published notices and patches; the correct and final mitigation path is to apply the kernel updates provided by their supplier (Amazon, Red Hat, SUSE, Debian, Ubuntu, among others). You can check the official entry in the vulnerability database for technical details and patch references in NVD - CVE-2026-31431 and review the affected code in the official kernel tree in git.kernel.
While the patch arrives or in environments where no immediate reboot is possible, there are temporary measures that security teams should consider with caution: to assess whether the algif _ aead module is chargeable and, where possible, to download it (modprobe -r) in systems that allow it; to restrict access to unreliable local accounts and to minimize users with permits to operate AF _ ALG sockets; and, in container environments, to review the isolation policies, seismic limits and capabilities that could facilitate such attacks. It should be noted that some "fast" mitigation such as removing the bit setuid from critical utilities affect functionality and should be used only with a recovery plan.
In addition to the corrections, it is important to investigate possible commitment indicators: to check the integrity of setuid binaries by means of package verification tools (rpm -V, debsums, etc.), to review execution and audit logs (auditd) in search of unusual execve on sensitive binaries and to look for unexpected changes in / usr / bin and other system directories. The managed environments and cloud services should prioritize the rotation of images and the updating of nodes in a coordinated way to avoid exposure windows.
The recurrence of failures that manipulate the cache page - remember that Cache Fail comes in the wake of previous vulnerabilities like Dirty Pipe - shows that performance optimizations in the kernel can introduce durable attack vectors. For development teams and operators, the lesson is two-fold: on the one hand, to maintain rapid parking cycles and regression tests that include safety cases; on the other, to strengthen policies of less privilege and defensive design to minimize the impact of local farms.
If you manage Linux systems, prioritize the application of the security bulletins of your distribution and program restarted controlled after the kernel update. Keep surveillance on your supplier's official channels and vulnerability databases, and plan a post-patch audit to detect any prior abuse. Coordination between security teams, operations and suppliers is key to containing this vulnerability which, by its nature, affects a wide spectrum of deployments from workstations to cloud servers.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...