Researchers from Xint have discovered a vulnerability in the Linux kernel, identified as CVE-2026-31431, that allows an unprivileged user to escalate their privileges to root access. This vulnerability, known as Copy Fail, has been exploited in various Linux distributions such as Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16. Although other distributions like Debian, Arch, Fedora, Rocky, and Alma are also affected, they have not been individually tested for exploitability.
The root cause of the vulnerability lies in a logical error within the crypto API (AF_ALG) that was introduced in 2017 during optimizations to eliminate unnecessary buffering through in-place execution of block encryption operations using AEAD (Authenticated Encryption with Associated Data). The issue arises from the improper use of the splice() function, which transfers data between file descriptors and pipes without copying, by passing references to elements in the kernel page cache. When transferring a file to the AF_ALG socket for decryption, the scatterlist structure mistakenly links to elements in the page cache with file data instead of a separate buffer.
During the AEAD decryption process, the “auth tag” pages linked by the reference are mixed with additional authenticated data and ciphertext copied to the RX buffer. The offset for the write operation is calculated relative to the copied data without proper checks, enabling arbitrary areas in the page cache to be overwritten. This capability allows for the alteration of data within any readable files in the system that have been previously stored in the page cache.
By exploiting the vulnerability, an attacker can overwrite 4 bytes at a chosen offset with each request. This malicious activity can lead to the manipulation of data read from files in the page cache, allowing for the substitution of code in various processes or the corruption of data in opened files. This security flaw poses a significant risk to the integrity and security of affected Linux systems.