Build. Connect. Analyse.

Severity: Critical

A critical vulnerability has been disclosed in the Linux kernel, affecting a wide range of distributions and versions commonly used across enterprise and cloud environments.

The vulnerability, tracked as CVE-2026-31431 (also referred to as “Copy Fail”), is a logic bug in the Linux kernel’s authencesn cryptographic template. It allows an unprivileged local user trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system.

Successful exploitation could enable attackers to modify privileged binaries (e.g. setuid executables) and gain root-level access on affected systems. A single 732-byte Python script can edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017.

Due to its reliability and low complexity, this vulnerability presents a significant risk to system integrity across unpatched environments.

As part of Beeks’ commitment to supporting operational resilience and cyber risk management, this advisory is intended to help organisations assess exposure and implement appropriate mitigations.

Affected Software: 

  • Linux distributions running kernel versions 4.13 (released 2017) through to the patched release. Confirmed affected: Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, SUSE 16, Debian, Arch, Fedora, and Oracle Linux. Any distribution running an unpatched kernel in this range is affected.

First appeared in 4.14.

Fixed in:

  • 7.0+
  • 6.19.12
  • 6.18.22
  • 6.12.85
  • 6.6.137
  • 6.1.170
  • 5.15.204
  • 5.10.254

Immediate Recommended Actions

  • Immediate mitigation (if patching is not yet possible): blacklist the algif aead kernel module by running: echo “install algif_aead /bin/false” > /etc/modprobe.d/disable-algif-aead.conf. This has no functional impact on standard cryptographic operations (dm-crypt, SSH, OpenSSL) as these bypass AF_ALG entirely.
  • Patch: apply the latest kernel update from your distribution’s package manager and reboot to load the patched kernel. The upstream fix is mainline commit a664bf3d603d. Patching requires a system reboot – plan accordingly for production hosts.
  • For Kubernetes/container environments: audit all node kernel versions, apply the seccomp profile to block the relevant syscall as an interim measure, and drain and reinstate nodes one-by-one following the patched kernel rollout to avoid application downtime.

Further Information: 

For detailed information on the vulnerability, please refer to the following sources:
https://ubuntu.com/security/CVE-2026-31431
https://git.kernel.org/linus/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5
https://www.suse.com/security/cve/CVE-2026-31431.html
https://security-tracker.debian.org/tracker/CVE-2026-31431
https://nvd.nist.gov/vuln/detail/CVE-2026-31431
https://copy.fail/ (Theori original writeup)

Trackers for common distros:

If you have any questions or require further assistance, please contact [email protected] or reach out to your Beeks account representative.

This advisory is issued to help ensure the security of your systems and prevent unauthorised access to sensitive data. Beeks remains committed to providing timely security information and support to safeguard your infrastructure.

Beeks will continue to monitor this, and other related vulnerabilities, and provide updates through our Security Advisory Feed.

Don't miss future insights, subscribe here... Subscribe Now

Ready to talk? Discuss your low-latency compute requirements with our sales team