Cybersecurity experts have unveiled a significant local privilege escalation (LPE) vulnerability in Linux, identified as CVE-2026-31431. It’s informally known as “Copy Fail,” with a high CVSS score of 7.8. This flaw permits unprivileged local users to gain root access on a variety of Linux distributions.
Understanding the Copy Fail Vulnerability
The vulnerability originates from a flaw within the Linux kernel’s cryptographic subsystem, particularly in the algif_aead module. It was introduced through a source code change in August 2017. Exploiting this flaw allows a local user to manipulate a setuid binary and escalate privileges effectively.
Exploitation Methodology
To exploit Copy Fail, an attacker can utilize a straightforward 732-byte Python script through the following steps:
- Open an AF_ALG socket and bind to authencesn(hmac(sha256),cbc(aes)).
- Construct the desired shellcode payload.
- Trigger a write operation to the kernel’s cached copy of “/usr/bin/su.”
- Execute execve(“/usr/bin/su”) to load the shellcode and run it with root privileges.
While this vulnerability cannot be exploited remotely on its own, it poses a significant risk when a local unprivileged user corrupts the page cache of a setuid binary. This risk is compounded by the cross-container effects since the page cache is shared across different system processes.
Previous Vulnerabilities
Linux distributions have taken notice of Copy Fail and issued advisories in response. This issue shares similarities with an earlier vulnerability known as Dirty Pipe (CVE-2022-0847). Similar to Copy Fail, Dirty Pipe allowed unprivileged users to manipulate the page cache of read-only files, leading to unauthorized code execution.
The Unique Properties of Copy Fail
According to Xint.io representatives, Copy Fail stands out for its unique characteristics:
- Portable across various Linux distributions.
- Compact, requiring only a small script for exploitation.
- Stealthy, making detection challenging.
- Cross-container compatibility, allowing exploits to traverse container boundaries.
This vulnerability empowers any user account, regardless of privilege level, to gain full administrative access. Furthermore, it undermines sandboxing mechanisms, making it a significant threat across all Linux environments.
As Linux distributions work to patch this vulnerability, users are urged to remain vigilant and apply any security updates promptly to safeguard their systems.
