Copy Fail

Copy Fail
CVE identifierCVE-2026-31431
CVSS score7.8
Date of public disclosureApril 29, 2026; 37 days ago (2026-04-29)
DiscovererTaeyang Lee (Theori)
Affected softwareLinux kernel
Websitecopy.fail

CVE-2026-31431, commonly known as Copy Fail, is a vulnerability in the Linux kernel that allows unauthorized privilege escalation,[1][2] disclosed by security firm Theori to the public on 29 April 2026 and to the Linux kernel security team five weeks prior.[3] The exploit blends into normal system activity via standard system calls and may be raised through 10 lines of Python.[4]

Characteristics

The vulnerability lets an unprivileged user make use of the address family AF_ALG in the Crypto API of the Linux kernel to perform controlled 4‑byte writes into the page cache, which backs the in‑memory copies of files.[5]

By replacing code in the in‑memory copy of a readable executable stored in the page cache, an attacker can escalate user privileges when any privileged process later runs that corrupted version of the file. As most Linux utilities for changing users (e.g. su) run as privileged using setuid, the user privilege escalation surface is large.

Affected software

Every Linux distribution using Linux kernel versions between 4.14 (2017[2]) and 6.19.12 is at risk.[6][7] Debian, Ubuntu, SUSE, Red Hat Enterprise Linux, and other Linux distributions were affected.[2][8]

Many distributions and security sources recommended mitigating the issue via disabling the affected algif_aead kernel module.[6][8] Some distributions—such as Arch Linux, Fedora,[3] and Amazon Linux—had released patches at the time of the disclosure,[9] but the vulnerability was disclosed by Theori before the affected distributions they advertised as vulnerable had released patches.[3] As of 30 April 2026, SUSE, Red Hat, and Ubuntu have released mitigation guidance.[3] As of May 5, detection rules from Kaspersky Lab have been added.[4]

MAC mechanisms such as SELinux and AppArmor can mitigate the exploit, but only when they are configured so that only legitimately required services are granted access to the AF_ALG socket family. In default configurations, any unconfined or broadly permitted process can still open AF_ALG sockets, so the protection is effectively absent and the exploit remains reachable.[10]

According to GrapheneOS, Android is unaffected due to its use of SELinux policies, where only the dumpstate process (used for bug reports) is permitted to create AF_ALG sockets.[11]

References

  1. ^ Knop, Dirk (30 April 2026). ""Copy Fail": Linux root in all major distributions with 732 bytes of Python". heise online. Retrieved 30 April 2026.
  2. ^ a b c Claburn, Thomas (30 April 2026). "Linux cryptographic code flaw offers fast route to root". The Register.
  3. ^ a b c d Goodin, Dan (30 April 2026). "The most severe Linux threat to surface in years catches the world flat-footed". Ars Technica. Retrieved 5 May 2026.
  4. ^ a b "Copy Fail: root on virtually any Linux". Securelist. 30 April 2026. Retrieved 8 May 2026.
  5. ^ Toulas, Bill (30 April 2026). "New Linux 'Copy Fail' flaw gives hackers root on major distros". BleepingComputer. Retrieved 30 April 2026.
  6. ^ a b "Copy Fail (CVE-2026-31431): Linux Kernel Privilege Escalation FAQ". Tenable. 30 April 2026. Retrieved 1 May 2026.
  7. ^ "ChangeLog-6.19.12". Linux kernel source. Retrieved 2 May 2026.
  8. ^ a b "CVE-2026-31431". access.redhat.com. Red Hat. Retrieved 1 May 2026.
  9. ^ Bonifield, Stevie (1 May 2026). "Severe Linux Copy Fail security flaw uncovered using AI scanning help". The Verge. Retrieved 5 May 2026.
  10. ^ Coker, Russell (4 May 2026). "Copy Fail on Debian and SE Linux". etbe.coker.com.au. Retrieved 5 May 2026.
  11. ^ GrapheneOS (30 April 2026). "GrapheneOS is protected against Copy Fail and similar vulnerabilities by SELinux". discuss.grapheneos.org. Retrieved 30 April 2026.

Content Disclaimer

Informasi ini disarikan dari Wikipedia dan disajikan kembali untuk tujuan edukasi. Konten tersedia di bawah lisensi CC BY-SA 3.0. Kami tidak bertanggung jawab atas ketidakakuratan data yang bersumber dari kontribusi publik tersebut.

  1. The information displayed on this website is sourced in part or in whole from Wikipedia and has been adapted for the purpose of restating it. We strive to provide accurate and relevant information, however:
  2. There is no guarantee of absolute accuracy. Wikipedia is an open, collaborative project that can be edited by anyone, so information is subject to change.
  3. It is not intended to constitute professional advice. The content displayed is for informational and educational purposes only. For important decisions (e.g., medical, legal, or financial), please consult a professional.
  4. Content copyright. Wikipedia is licensed under the Creative Commons Attribution-ShareAlike License (CC BY-SA). This means that content may be reused with appropriate attribution and shared under a similar license.
  5. Responsible use. Any risk arising from the use of information from this website is entirely the responsibility of the user.