oss-sec mailing list archives

Re: CVE-2026-31431: CopyFail: linux local privilege scalation

From: Aaron Rainbolt <arraybolt3 () gmail com>
Date: Wed, 29 Apr 2026 21:26:03 -0400

On Wed, 29 Apr 2026 23:39:44 +0100
Sam James <sam () gentoo org> wrote:

Jan Schaumann <jschauma () netmeister org> writes:

Hi,

This is currently making the rounds and looks pretty
severe:

https://copy.fail/

A local privilege escalation vulnerability with a
working PoC python script exploiting a logic flaw in
the kernel crypto API (AF_ALG) affecting most Linux
distributions.

More detailed write-up:
https://xint.io/blog/copy-fail-linux-distributions

[...]

Affected and fixed versions
===========================

Issue introduced in 4.14 with commit
72548b093ee38a6d4f2a19e6ef1948ae05c181f7 and fixed in
6.18.22 with commit
fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8

Issue introduced in 4.14 with commit
72548b093ee38a6d4f2a19e6ef1948ae05c181f7 and fixed in
6.19.12 with commit
ce42ee423e58dffa5ec03524054c9d8bfd4f6237

Issue introduced in 4.14 with commit
72548b093ee38a6d4f2a19e6ef1948ae05c181f7 and fixed in
7.0 with commit
a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5


To say it explicitly, all the kernels in-between before 6.18 aren't
fixed.


https://git.kernel.org/stable/c/fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8
https://git.kernel.org/stable/c/ce42ee423e58dffa5ec03524054c9d8bfd4f6237
https://git.kernel.org/stable/c/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5

----

PoC:
https://github.com/theori-io/copy-fail-CVE-2026-31431/blob/main/copy_fail_exp.py


Mitigation:

# echo "install algif_aead /bin/false" >
/etc/modprobe.d/disable-algif.conf # rmmod algif_aead


Brad Spengler has been pointing out that this won't work on a few
common enterprise kernels where CONFIG_CRYPTO_USER_API_AEAD=y (rather
than m).


I'd like to also point out that the copy.fail website may underplay the
impact this mitigation has on userspace. It's not the easiest thing in
the world to find out everywhere where an AF_ALG socket is opened and
then set up in AEAD mode in Debian, but so far I've found that at least
bluez, cryptsetup, iwd, and stress-ng contain code that does this, as
does a particular test in some Rust code in rustc, firefox-esr, and
thunderbird. libkcapi is also a thing, anything that does AEAD with it
will be affected. Simply nuking this part of the kernel API from orbit
is not a universally safe operation.

(Note that I've not yet made any of these applications misbehave by
applying the mitigation, I tried some experiments with cryptsetup and
the results were inconclusive. So this might be safe enough for most
people.)

--
Aaron

Attachment: _bin
Description: OpenPGP digital signature

Current thread:

Re: CVE-2026-31431: CopyFail: linux local privilege scalation, (continued)
- - - Re: CVE-2026-31431: CopyFail: linux local privilege scalation Paul Ducklin (May 03)
    - Re: CVE-2026-31431: CopyFail: linux local privilege scalation Richard Kettlewell (May 04)
    - Re: CVE-2026-31431: CopyFail: linux local privilege scalation Demi Marie Obenour (May 04)
    - Re: CVE-2026-31431: CopyFail: linux local privilege scalation Solar Designer (May 04)
    - Re: CVE-2026-31431: CopyFail: linux local privilege scalation Eric Biggers (May 05)
- Re: CVE-2026-31431: CopyFail: linux local privilege scalation Sam James (Apr 29)
  - Re: CVE-2026-31431: CopyFail: linux local privilege scalation Zube (Apr 29)
    - Re: CVE-2026-31431: CopyFail: linux local privilege scalation Solar Designer (Apr 29)
    - Re: CVE-2026-31431: CopyFail: linux local privilege scalation Roman Medina-Heigl Hernandez (Apr 30)
    - CVE-2026-31431 Copy Fail Linux LPE - new public exploit Andrei Berestov (May 18)
  - Re: CVE-2026-31431: CopyFail: linux local privilege scalation Aaron Rainbolt (Apr 29)
- Re: CVE-2026-31431: CopyFail: linux local privilege scalation Alan Coopersmith (May 01)
- Precise disclosure contents for copyfail (Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation) Sam James (May 03)
  - Re: Precise disclosure contents for copyfail (Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation) Sam James (May 03)
    - Re: Precise disclosure contents for copyfail (Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation) Sam James (May 03)
    - Re: Precise disclosure contents for copyfail (Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation) Greg Kroah-Hartman (May 04)
    - Re: Precise disclosure contents for copyfail (Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation) Emily Shepherd (May 04)
    - Re: Precise disclosure contents for copyfail (Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation) Greg KH (May 04)
    - Re: Precise disclosure contents for copyfail (Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation) Emily Shepherd (May 04)
    - Re: Precise disclosure contents for copyfail (Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation) Greg KH (May 06)
    - Re: Precise disclosure contents for copyfail (Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation) Jeroen Roovers (May 04)