CopyFail (CVE-2026-31431): kernel patches now available for Rocky Linux
Eric 'the IT Guy' Hendricks
Patches are available now for Rocky Linux 8.10, 9.7, and 10.1 addressing a high-severity local privilege escalation vulnerability in the Linux kernel. Update your kernel and reboot.
What happened
On April 29, security researchers from Xint Code (Theori) disclosed a Linux kernel vulnerability they named CopyFail, tracked as CVE-2026-31431. The flaw has been present in essentially every mainstream Linux kernel built since 2017.
The bug lives in the kernel's algif_aead module -- the AEAD socket interface of the userspace crypto API (AF_ALG). A logic flaw in authencesn, chained through AF_ALG and the splice() system call, allows an unprivileged local user to perform a controlled 4-byte write into the page cache. By corrupting the in-memory copy of a setuid binary like /usr/bin/su -- without touching anything on disk -- an attacker can escalate to root in seconds.
What makes CopyFail stand out is how reliable it is. The 732-byte Python proof-of-concept requires no race conditions, no per-distribution tuning, and no special privileges. The same script works unmodified across distributions. File integrity tools won't catch it because nothing on disk changes. This makes it especially dangerous on multi-tenant hosts, Kubernetes nodes, and CI/CD runners, where a shared page cache means one compromised workload can threaten the entire node.
The researchers have published the exploit publicly. Treat this as actively exploitable.
How to fix it
Run the following and reboot:
sudo dnf --refresh update 'kernel*'
sudo reboot
The --refresh flag ensures you pull the latest metadata without re-downloading packages you already have. Patched kernel versions are:
- Rocky Linux 8.10:
kernel-4.18.0-553.123.1.el8_10and above - Rocky Linux 9.7:
kernel-5.14.0-611.54.1.el9_7and above - Rocky Linux 10.1:
kernel-6.12.0-124.55.1.el10_1and above
After rebooting, confirm your running kernel with uname -r.
A note on the algif_aead module
You may have seen advice elsewhere to disable algif_aead via rmmod or a modprobe.d entry as an interim workaround. On Rocky Linux, that approach does not apply. The algif_aead module is compiled directly into the kernel image (CONFIG_CRYPTO_USER_API_AEAD=y), not shipped as a loadable module. The kernel update above is the correct fix.
Thank you
Thanks to Brian Pak and the team at Xint Code for finding this vulnerability, handling coordinated disclosure responsibly, and publishing a thorough technical write-up. If you want to understand exactly how a single logic bug becomes a fully reliable privilege escalation, their write-up is worth your time.
Additional reading
- copy.fail -- Researcher disclosure site with technical details and proof-of-concept
- Xint Code technical write-up -- Full root cause analysis and exploit mechanics
- CVE-2026-31431 on NVD -- Official CVE record
- GitHub: theori-io/copy-fail-CVE-2026-31431 -- Exploit source and issue tracker
- Ars Technica coverage -- Broader context on industry response