Copy Fail: 732 Bytes to Root on Every Major Linux Distributions
8 hours ago
- #Linux Kernel Vulnerability
- #Root Privilege Escalation
- #Container Escape
- Copy Fail (CVE-2026-31431) is a logic bug in Linux kernel's authencesn cryptographic template, allowing a 4-byte write into the page cache of any readable file.
- An unprivileged local user can exploit this with a 732-byte Python script to edit setuid binaries and gain root on Linux distributions shipped since 2017.
- The bug is portable, works across Ubuntu, Amazon Linux, RHEL, and SUSE without per-distro offsets, and is stealthy as it doesn't mark corrupted pages dirty, leaving on-disk files unchanged.
- The root cause is AF_ALG socket's splice() placing page cache pages in a writable scatterlist during AEAD decryption, with authencesn's scratch write crossing into these pages.
- Exploit involves setting up AF_ALG socket, constructing sendmsg() and splice() pairs to write 4-byte payload chunks into /usr/bin/su's page cache, and executing the corrupted binary.
- The fix reverts algif_aead.c to out-of-place operation, separating source and destination scatterlists, and patches are being distributed.
- Mitigation includes patching kernel, blocking AF_ALG socket creation via seccomp, or blacklisting algif_aead module.
- Timeline: Reported March 2026, patched April 2026, publicly disclosed April 29, 2026.
- AI-assisted discovery by Xint Code based on Theori researcher Taeyang Lee's insights into AF_ALG and splice() interactions.
- Copy Fail also enables container escape and Kubernetes node compromise, detailed in Part 2 of the series.