Follow ZDNET: Add us as a preferred source on Google.
ZDNET key takeaways
- Copy Fail is a dangerous Linux vulnerability.
- This flaw makes gaining root access easy for attackers.
- Copy Fail affects millions of Linux systems.
CVE-2026-31431, also known as Copy Fail, is a critical Linux kernel vulnerability that’s been hiding out since 2017 and is now getting the security spotlight it deserves.
Also: This simple Linux tweak fixes crashes automatically – and it costs me nothing
Oftentimes, Linux vulnerabilities can be a bit overblown, but not in this case. Copy Fail is serious business and should be considered an issue that must be mitigated.
What is Copy Fail?
Let’s talk about Copy Fail in terms that anyone can understand.
Imagine your computer’s memory as a chalkboard, where a teacher keeps track of your grades in real time. You don’t allow students to use either chalk or erasers, so they can’t change their grades. The “Copy Fail” vulnerability is like a sneaky student who somehow gains access to an eraser and chalk, and he changes just his grade while you’re not looking.
Essentially, Copy Fail is a flaw in the Linux system that is in charge of handling security for certain types of data. The flaw allows an attacker, who has just basic access to a system, to alter a crucial piece of data that exists within the computer’s RAM. Once the change is made, the altered data can trick the system into thinking that the attacker is the root user, giving the attacker full control over the system.
Also: 6 reasons a minimal Linux install might be the smartest move you make
Think of it this way: A janitor takes the nameplate from the boss’s office and slaps it on the wall beside his closet so everyone thinks he is the boss.
That’s Copy Fail.
A difference between Copy Fail and other vulnerabilities that have hit Linux is that this one doesn’t require specific timing or certain events to happen in an exact order. It’s much easier, and its effects can be devastating.
A bit more detail
For those who want a bit more detail about Copy Fail: It abuses the AF_ALG socket interface and splice() system call to overwrite a mere 4 bytes in the kernel’s page cache for any readable file. Once this occurs, attackers can then modify the setuid binaries, such as the su command, that are in memory to gain root access.
Copy Fail is different from “race condition” exploits because it’s a stable, straight-line vulnerability that doesn’t require timing-dependent retries to elevate permissions.
Also: The first 8 Linux commands every new user should learn
Copy Fail affects all Linux kernels from 4.14 to 6.19.12. You read that right: kernels from 2017 to the present.
According to the Xint Code Research Team, “This finding was AI-assisted, but began with an insight from Theori researcher Taeyang Lee, who was studying how the Linux crypto subsystem interacts with page-cache-backed data. He used Xint Code to scale his research across the entire crypto subsystem, and Copy Fail was the most critical finding in the report.”
How to avoid Copy Fail
The easiest way to mitigate the Copy Fail Linux vulnerability is to update your kernel to the latest version. To find out if your kernel has been patched against Copy Fail, issue the following command:
dpkg -l kmod grep -qE ‘^algif_aead ‘ /proc/modules && echo “Affected module is loaded” || echo “Affected module is NOT loaded”
If your kernel has been patched, you’ll see “Affected module is NOT loaded.” If your kernel has not been patched, you’ll see “Affected module is loaded.” If you run into the latter, make sure to update your system and rerun the command. If, after an update, your system is still not patched, you can disable the algif_aead module with the command:
install algif_aead /bin/false” > /etc/modprobe.d/disable-algif.conf
Also: You can use Linux 7.0 on these 7 distros today – here’s what to expect
You can then unload the module with:
rmmod algif_aead
You now know enough about Copy Fail to stay protected.
