CVE-2026-31431
HIGH · 7.8 KEV EPSS 2.3%KEV + distro patches + PoC public; "CopyFail" branding inflates hype but real exploitation confirmed.
What: Linux kernel crypto/algif_aead in-place operation flaw allowing local privilege escalation (CVE-2026-31431, CVSS 7.8 HIGH, EPSS 0.8%).
Why it matters: KEV-listed as of 2026-05-01. Multiple distros patching urgently (Arch 6.19.12-1, AlmaLinux, Ubuntu). Public PoC circulating with "732-byte exploit" narrative. Kernel crypto subsystem affects all local users; privilege escalation to root confirmed in chatter.
Where it's seen: Cross-distro security advisories (Arch, AlmaLinux, Alpine, Ubuntu, Rocky, CentOS); Medium writeups; Spanish/multilingual coverage; community noting "clickbait" framing but confirming real LPE impact.
RISK: HIGH — Kernel LPE, KEV-listed, multiple distros patching, public PoC, affects all systems.
AttackerKB
view on attackerkb.com →In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.
Public PoCs on GitHub 20 repos
- nomi-sec/PoC-in-GitHub ★ 7687
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
- Mr-xn/Penetration_Testing_POC ★ 7330 · HTML
渗透测试有关的POC、EXP、脚本、提权、小工具等---About penetration-testing python-script poc getshell csrf xss cms php-getshell domainmod-xss csrf-webshell cobub-razor cve rce sql sql-poc poc-exp bypass oa-getshell cve-cms
- cdk-team/CDK ★ 4641 · Go
📦 Make security testing of K8s, Docker, and Containerd easier.
- 0xsyr0/OSCP ★ 3720 · PowerShell
OSCP Cheat Sheet
- theori-io/copy-fail-CVE-2026-31431 ★ 2904 · Python
Articles & coverage 12 articles
- Nine-year-old Linux kernel flaw enables reliable local privilege ...
Security researchers at Theori have disclosed a high-severity local privilege escalation (LPE) vulnerability (CVE-2026-31431) in the Linux kernel. It’s a logic bug in the *authencesn* cryptographic template and allows an unprivileged local user to write 4 controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root. The good news is that CVE-2026-31431 exp
- CVE-2026-31431: Linux Kernel Crypto AEAD Vulnerability
CVE-2026-31431 is a vulnerability in the Linux kernel's crypto algif\_aead subsystem involving in-place operation handling. A vulnerability has been identified in the Linux kernel's cryptographic subsystem, specifically within the algif\_aead module. The issue stems from complexity introduced by in-place operation handling in the AEAD (Authenticated Encryption with Associated Data) socket interfac
- Copy Fail (CVE-2026-31431): Linux Kernel Privilege Escalation FAQ
* [Skip to Main Navigation](https://www.tenable.com/blog/copy-fail-cve-2026-31431-frequently-asked-questions-about-linux-kernel-privilege-escalation#site-nav). * [Skip to Main Content](https://www.tenable.com/blog/copy-fail-cve-2026-31431-frequently-asked-questions-about-linux-kernel-privilege-escalation#block-tenable-content). * [Skip to Footer](https://www.tenable.com/blog/copy-fail-cve-20
- Proof-of-concept exploit available for Linux 'Copy Fail' (CVE-2026-31431)
- EDR - Endpoint detection and response. - XDR - Extended detection and response. - XDR with Next-Gen SIEM. - ITDR - Identity threat detection and response. - NDR - Network detection and response. + Explore managed detection and response with Sophos MDR. - MDR - Managed detection and response. + Protect your business around the clock with managed detection and response. # Proof-of-concept exploit
- Why CVE-2026-31431 (Copy Fail) barely scratches Talos Linux
# Exploit Fail: Why CVE-2026-31431 (Copy Fail) barely scratches Talos Linux. The Copy Fail exploit (CVE-2026-31431) makes a bold claim. Talos Linux doesn't have a python interpreter so we know that can't be right. We need to see how it works, if Talos is affected, and if similar exploits would work in the future. **tl;dr summary:** Copy Fail (CVE-2026-31431) does affect the kernel that ships with
› NVD details 1 CWE ·1 vendor · 38 refs expand
Description
In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.
References
- https://git.kernel.org/stable/c/19d43105a97be0810edbda875f2cd03f30dc130c
- https://git.kernel.org/stable/c/3115af9644c342b356f3f07a4dd1c8905cd9a6fc
- https://git.kernel.org/stable/c/893d22e0135fa394db81df88697fba6032747667
- https://git.kernel.org/stable/c/8b88d99341f139e23bdeb1027a2a3ae10d341d82
- https://git.kernel.org/stable/c/961cfa271a918ad4ae452420e7c303149002875b
- https://git.kernel.org/stable/c/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5
- https://git.kernel.org/stable/c/ce42ee423e58dffa5ec03524054c9d8bfd4f6237
- https://git.kernel.org/stable/c/fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8
- +10 more
- http://www.openwall.com/lists/oss-security/2026/04/30/17 [Mailing List]
- http://www.openwall.com/lists/oss-security/2026/04/30/2 [Mailing List]
- http://www.openwall.com/lists/oss-security/2026/04/30/20 [Mailing List]
- http://www.openwall.com/lists/oss-security/2026/04/30/6 [Mailing List]
- http://www.openwall.com/lists/oss-security/2026/05/01/10
- http://www.openwall.com/lists/oss-security/2026/05/01/12
- http://www.openwall.com/lists/oss-security/2026/05/01/15
- http://www.openwall.com/lists/oss-security/2026/05/01/16
- +8 more
Top posts driving the trend
- @beitmenotyou.onlineBluesky · 5/3/2026
Copy Fail is a nasty Linux reminder. CVE-2026-31431 can turn a tiny local exploit into root by abusing AF_ALG, splice() and the page cache. Patch your kernel, especially on servers. Would this make you update faster? xint.io/blog/copy-fa... #Linux #Security
♥ 0 · ↻ 0 · 💬 0 - @softfantw.eurosky.socialBluesky · 5/3/2026
CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV thehackernews.com/2026/05/cisa...
♥ 0 · ↻ 0 · 💬 0 - @skuebeck.graz.social.ap.brid.gyBluesky · 5/3/2026
Jolanda de Koff: Copy Fail (CVE-2026-31431) Since 2017, every major Linux distribution has been shipping a flaw that hands root access to any local user. The exploit is a 732-byte Python script that uses only what comes built into Python by default. It works on Ubuntu, Amazon Linux, RHEL, and […]
♥ 0 · ↻ 0 · 💬 0 - @it4intserver.bsky.socialBluesky · 5/3/2026
iT4iNT SERVER CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV VDS VPS Cloud #CyberSecurity #Linux #CVE202631431 #Vulnerability #RootAccess
♥ 0 · ↻ 0 · 💬 0 
@it4intX · 5/3/2026iT4iNT SERVER CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV https://t.co/aSTHi6B5Gk VDS VPS Cloud #Cybersecurity #Linux #CISA #Vulnerability #CVE2026
♥ 0 · ↻ 0 · 💬 0
@0xherrmayorX · 5/3/2026CISA added CVE-2026-31431 to KEV. Linux LPE: low-priv user → root. Not remote by itself, but dangerous after a small foothold: SSH, CI, or container access. For Web3 infra, RPC config is only one layer. The host still matters. https://t.co/UGTDqqXAvT #CyberSecurity #Web3Sec
♥ 1 · ↻ 0 · 💬 1
@GregZtrafficX · 5/3/2026Linux node operators, listen up: CVE-2026-31431 is now active. ⚠️ CISA just added this root access bug to the KEV catalog. If you’re running a Bitcoin node or Datum Gateway on Linux, patch your systems immediately to prevent local privilege escalation. Technical sovereignty https://t.co/381j66SGCj
♥ 0 · ↻ 0 · 💬 0- @appricot.bsky.socialBluesky · 5/3/2026
So these lawmakers have no idea what they are talking about. Never mind the unrealistic expectations to sys.admins. Fuck us, as usual. The mess&friction in SW Licensing, GDPR compliance, Proportionality principles & fundamental human rights... sudo su - (stop reading & Go patch CVE-2026-31431)
♥ 0 · ↻ 0 · 💬 0 
@tech_wikiX · 5/3/2026[Link] CVE-2026-31431 Copy Fail と Proxmox>https://t.co/Wm4jKonPUj
♥ 0 · ↻ 0 · 💬 0- @chnahon.bsky.socialBluesky · 5/3/2026
CVE-2026-31431 : LA FAILLE LINUX DE 9 ANS QUI MENACE VOS SERVEURS !! youtu.be/_Okb1OJbgxA?...
♥ 0 · ↻ 0 · 💬 0 
@Bulls_N_BearsHQX · 5/3/2026BREAKING: CISA adds Linux Copy Fail CVE-2026-31431 to its exploited bugs list after reports of root access risk on affected systems.
♥ 0 · ↻ 0 · 💬 0
@1nf1n1ty238X · 5/3/2026A new #Linux flaw is now under active exploitation. CISA added CVE-2026-31431 to its KEV list. The bug lets low-privilege users gain full root access. Patches released. Fix deadline: May 15, 2026. https://t.co/zj9WJdxIAZ
♥ 1 · ↻ 0 · 💬 0
@DinosnX · 5/3/2026CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV https://t.co/cIS64Swbnh
♥ 1 · ↻ 2 · 💬 0- @minwi.bsky.socialBluesky · 5/3/2026
732 bytes to root on every major Linux distro. No race condition. 100% reliable. CVE-2026-31431 makes the AI agent sandboxing content this week hit different. Also: Claude Code agent teams, PS5 Linux, Greg KH's LLM bug hunter, 26ns NTP with a $20 SFP. www.underkube.com/2026-05-03-w...
♥ 0 · ↻ 0 · 💬 0 
@minWiX · 5/3/2026732 bytes to root on every major Linux distro. No race condition. 100% reliable. CVE-2026-31431 makes the AI agent sandboxing content this week hit different. Also: Claude Code agent teams, PS5 Linux, Greg KH's LLM bug hunter, 26ns NTP with a $20 SFP. https://t.co/KxcMUXSAF1
♥ 0 · ↻ 0 · 💬 1- @undercodenews.bsky.socialBluesky · 5/3/2026
“Copy Fail” Chaos: Critical Linux Kernel Flaw Opens the Door to Silent Privilege Escalation Introduction: A Quiet Bug with Explosive Consequences A newly disclosed Linux kernel vulnerability—labeled CVE-2026-31431 and ominously nicknamed “Copy Fail”—has rapidly gained attention in cybersecurity…
♥ 0 · ↻ 0 · 💬 0 - @postac001.bsky.socialBluesky · 5/3/2026
Linuxにローカル特権昇格の脆弱性(CVE-2026-31431)があり、CISAが既知の悪用脆弱性カタログに追加。活発に悪用されている。
♥ 0 · ↻ 0 · 💬 0 - @cybersecurity0001.bsky.socialBluesky · 5/3/2026
CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV
♥ 0 · ↻ 0 · 💬 0 - @hendryadrian.bsky.socialBluesky · 5/3/2026
CISA adds CVE-2026-31431, aka Copy Fail, to its Known Exploited Vulnerabilities list. This Linux kernel bug allows local privilege escalation and affects cloud/container environments. Patches released for versions 6.18.22, 6.19.12, 7.0. #LinuxKernel #USA
♥ 0 · ↻ 0 · 💬 0 
@TweetThreatNewsX · 5/3/2026CISA adds CVE-2026-31431, aka Copy Fail, to its Known Exploited Vulnerabilities list. This Linux kernel bug allows local privilege escalation and affects cloud/container environments. Patches released for versions 6.18.22, 6.19.12, 7.0. #LinuxKernel #USA https://t.co/zsRXmHYu07
♥ 0 · ↻ 0 · 💬 0
@JedisecXX · 5/3/2026CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV https://t.co/E2iMzXiHHd
♥ 0 · ↻ 0 · 💬 0
@DConsultingukX · 5/3/2026CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a recently disclose #cisa #adds #actively #exploited #linux #root #access #cve202631431 https://t.co/qpl262EOYd
♥ 0 · ↻ 0 · 💬 0
@VivekIntelX · 5/3/2026CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV https://t.co/TURyu5ySti
♥ 0 · ↻ 0 · 💬 0
@aiinstituteukX · 5/3/2026Linux CopyFail CVE-2026-31431... https://t.co/WAj4gptjM6 #LinuxSecurity #CVE202631431 #RootExploit #Cybersecurity #OpenSource #TechVulnerability 📸 {image_url} https://t.co/NbrbswbX58
♥ 0 · ↻ 0 · 💬 0- @infosec.skyfleet.blueBluesky · 5/3/2026
CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV
♥ 1 · ↻ 0 · 💬 0 
@NewsNerdieX · 5/3/2026🚨 BREAKING: CISA adds CVE-2026-31431, a Linux root access bug, to its KEV catalog due to active exploitation. This flaw affects various Linux distributions, posing significant security risks. Stay vigilant! #NerdieNews #CyberSecurity #BreakingNews #InfoSec #Linux https://t.co/5y6bEyw9cY
♥ 0 · ↻ 0 · 💬 0
@zench4nX · 5/3/2026Hot take: most AI 'security' tools are theater. Real defense is syscall-level observability. CVE-2026-31431 proved it. Challenge my thinking — I dare you. 🔥 #AIsecurity
♥ 0 · ↻ 0 · 💬 0
@uktodaytvX · 5/3/2026Linux CopyFail CVE-2026-31431 2026: Critical Root Exploit Hits Every Major https://t.co/n6TgOK2Rol #linux #cve2026 #exploit
♥ 0 · ↻ 0 · 💬 0
@NewsDaily18579X · 5/3/2026🟡 A local privilege escalation flaw (CVE-2026-31431 (CVSS: 7.8/10)) in various Linux distributions allows attackers to gain Linux root access. CVE: CVE-2026-31431 (CVSS: 7.8/10) Target: Various Linux distributions According to The Hacker News. #LinuxLPE #CVEupdate
♥ 0 · ↻ 0 · 💬 0
@pigram86X · 5/3/2026CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV https://t.co/UEc0Kov1kB
♥ 0 · ↻ 0 · 💬 0
