Linux kernel LPE lets unprivileged users overwrite setuid binaries in memory
TL;DR - CVE-2026-31431 ("Copy Fail") is a Linux kernel local privilege escalation. An unprivileged user abuses the AF_ALG crypto API and splice() to write 4 controlled bytes into the kernel page cache of any readable file - including setuid binaries. Corrupt the right binary, get root.
What happened
The Linux kernel underpins most production container stacks, CI runners, and cloud VMs. Microsoft Defender published analysis of CVE-2026-31431, dubbed "Copy Fail" - a high-severity local privilege escalation affecting kernels shipped since 2017.
The bug lives in the kernel crypto subsystem. By combining the AF_ALG userspace crypto API (specifically algif_aead) with splice(), an attacker can write exactly 4 controlled bytes into the kernel page cache of any file they can read. That includes setuid binaries. Corrupt the in-memory copy of a privileged executable and you get code execution as root.
| Item | Detail |
|---|---|
| Vulnerability | Local privilege escalation (LPE) in Linux kernel crypto subsystem |
| CVSS | 7.8 (High) |
| Attack vector | Local, low privileges, no user interaction |
| Exploit primitive | Controlled 4-byte write into kernel page cache via AF_ALG + splice() |
| Typical outcome | Escalate to UID 0; container breakout and multi-tenant compromise |
Microsoft reports that exploitation so far has been limited to proof-of-concept testing activity, but notes early signs that may precede broader threat actor use. That makes timing important for cloud, Kubernetes, and CI/CD environments where untrusted code regularly runs inside containers or shared build agents.
Who is impacted
- Linux systems running kernels released from 2017 until patched versions are applied.
- Environments where untrusted or semi-trusted code can execute locally:
- CI/CD runners and build agents processing third-party build steps
- Multi-tenant servers where non-admin users have shell access
- Container hosts where a compromised container process provides a local foothold
- Microsoft explicitly names Red Hat, SUSE, Ubuntu, and AWS Linux as affected, with Debian, Fedora, and Arch Linux also called out.
What to do now
- Apply kernel updates from your Linux distribution vendor now.
- If patches are not yet available for your environment, use the interim mitigations Microsoft identifies:
- Block
AF_ALGsocket creation to remove the exploit primitive entirely - Apply access controls to limit which users can interact with the crypto subsystem
- Implement network isolation around exposed hosts as a secondary layer
- Block
- Scope your exposure:
- Identify at-risk fleet segments: Kubernetes nodes, shared CI runners, bastion-like hosts
- Review logs for signs of exploitation or unusual
AF_ALGsocket activity
- Treat any container RCE as a potential host compromise. Enforce rapid node recycling after compromise indicators appear.
- Once patches are applied, confirm the fix is active before removing interim controls.
Related
Training
- Authorisation and Access ControlRBAC, ABAC, and privilege escalation patterns in real applications.
- Injection TodaySQL, NoSQL, ORM, and LLM injection - what's changed and what hasn't.
- Input Validation and Schema EnforcementValidate early, validate strictly - schemas, allowlists, and type-safe boundaries.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.