4 May 2026 Linux Security

Copy Fail (CVE-2026-31431): The Nine-Year Linux Kernel Flaw That Hands Root to Any Attacker

A logic bug hiding in the Linux kernel for nine years can hand any local user root access in seconds — with a 732-byte Python script and no race condition required. CISA added CVE-2026-31431 to its Known Exploited Vulnerabilities catalogue on 3 May 2026. If your business runs Linux servers, shared hosting, or cloud workloads, patch now.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

A Nine-Year Kernel Bug Granted Root Access to Any Local User

On 29 April 2026, security researchers at Xint and Theori publicly disclosed CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel that has existed, undetected, since 2017. The researchers named it Copy Fail — a reference to the deterministic write primitive at the heart of the exploit. By 3 May, CISA had added it to its Known Exploited Vulnerabilities (KEV) catalogue, confirming active exploitation in the wild.

The vulnerability carries a CVSS v3.1 score of 7.8 (HIGH). On paper that sounds moderate compared to the wave of 9.x critical flaws that dominate security news, but the number understates the real-world risk. Copy Fail is a straight-line logic flaw — no race condition to win, no kernel address to guess, no heap spray to get right. An unprivileged local user runs a 732-byte Python script and has a root shell within seconds. Researchers at Theori confirmed the same exploit script worked across every major Linux distribution they tested.

The affected component is algif_aead, the AEAD (Authenticated Encryption with Associated Data) socket interface in the Linux kernel's userspace cryptographic API (AF_ALG). The specific bug lies inside the authencesn cryptographic template. A logic error in how the template handles a failed copy operation allows an attacker to write 4 controlled bytes into the page cache of any file the current user can read — including kernel-owned files. From there, the attacker overwrites a function pointer and achieves kernel-level code execution, which translates directly to root.

Affected distributions include Ubuntu (20.04 LTS and later), Red Hat Enterprise Linux, Debian, Fedora, Amazon Linux 2023, SUSE 16, AlmaLinux, and Rocky Linux — essentially any distribution shipping a kernel version released between 2017 and the patched releases in late April/early May 2026. Red Hat published security bulletin RHSB-2026-02 on 30 April. Ubuntu's security team had patches available on 1 May. CloudLinux, which provides the hardened kernels used by a large portion of the shared hosting industry, published a mitigation and patch timeline on the same day.

Why Copy Fail Is Directly Relevant to Australian Businesses and Website Owners

At first read, a local privilege escalation vulnerability might seem like a problem only for organisations running on-premise servers with multiple untrusted users. For large enterprises with a mature access-control model, the risk window is real but bounded. For Australian small and medium businesses, the threat surface is considerably wider.

The most concerning attack chain runs through shared web hosting — the infrastructure model used by a significant proportion of Australian small-business websites. Most shared Linux hosting environments use a layered isolation model: each customer account runs as a separate low-privileged operating system user (www-data or a per-account equivalent), with the web server process constrained from reading other customers' files. That isolation model is built on the assumption that an attacker who compromises one customer account cannot escalate beyond it. Copy Fail breaks that assumption entirely.

The realistic attack path looks like this: a threat actor identifies a known vulnerability in a WordPress plugin running on one customer's site — a common occurrence, given the volume of WordPress plugin advisories published each week. They exploit that plugin flaw to gain execution in the context of the web server process (typically running as www-data or an equivalent low-privilege user). From there, they run the Copy Fail exploit and obtain root on the host machine. Once root is achieved, the attacker has access to every other customer's files, databases, and credentials on that shared server. A single unpatched WordPress plugin on one site can become the entry point that exposes every site on the same physical or virtual host.

CloudLinux, whose hardened kernel and KernelCare live-patching product is used by a large number of Australian hosting providers, published specific mitigation guidance on 1 May 2026. However, not all providers use CloudLinux or have yet applied the patch. Australian website owners cannot assume their hosting environment has been secured simply because vendors have released fixes.

Beyond shared hosting, the vulnerability is directly relevant to any business running Linux virtual machines in cloud environments — including those hosted in AWS Sydney, Azure Australia East, or Google Cloud's Sydney and Melbourne regions. Cloud providers patch the underlying hypervisor and host OS, but virtual machines running inside those environments are the customer's responsibility. If your VMs are unpatched and a threat actor compromises a container or a web application running inside that VM, Copy Fail hands them root. CISA's addition to the KEV catalogue means organisations subject to Australian Government Information Security Manual (ISM) controls or the Critical Infrastructure Risk Management Program (CIRMP) should treat this as a mandatory patch priority.

Inside Copy Fail: How a Logic Error in the Crypto API Delivers Root

The AF_ALG Interface and authencesn

The Linux kernel exposes its internal cryptographic primitives to userspace programs through the AF_ALG socket interface. This lets user-mode applications use kernel-implemented algorithms — including AEAD ciphers like AES-GCM — without having to bundle their own cryptographic code. The algif_aead module is the kernel-side handler for that interface when AEAD algorithms are requested. Within it, the authencesn template combines a cipher and a MAC (message authentication code) in a specific authenticated encryption mode.

The bug, as documented in the NVD entry for CVE-2026-31431 and analysed by researchers at Wiz and Tenable, is a logic error in how authencesn handles the failure case of a copy operation. When an internal scatter-gather copy (scatterwalk_copychunks) fails partway through, the template is supposed to clean up and return an error. Instead, due to an incorrect branch in the failure path, it writes 4 attacker-controlled bytes into the kernel's page cache at a location derived from a readable file. Because the page cache backs real files on disk — including files in /proc — and because any user can open most system files for reading, this gives an unprivileged attacker a write primitive into memory that the kernel treats as authoritative.

Why There Is No Race Condition

Earlier Linux local privilege escalation vulnerabilities like Dirty Cow (CVE-2016-5195) and Dirty Pipe (CVE-2022-0847) required an attacker to win a race condition — a timing-sensitive competition between two concurrent kernel code paths. Copy Fail involves no such competition. The failure path that triggers the write is deterministic: if you pass the right inputs to authencesn, it always mishandles the cleanup. The 4-byte write always lands where the attacker intends it to. This determinism means the exploit is reliable across distributions and kernel versions — the Theori team's published proof-of-concept works on every affected distribution without modification.

From Write Primitive to Root Shell

Four controlled bytes written to the page cache is not, by itself, arbitrary code execution. The exploit completes the chain by targeting a specific in-memory function pointer that is backed by a file in the page cache. By writing the address of an attacker-controlled function over that pointer, and then causing the kernel to invoke it (which happens naturally as part of process scheduling), the attacker achieves kernel-mode code execution. From kernel mode, disabling privilege checks and spawning a root shell takes a handful of additional instructions. The Theori PoC compresses all of this into 732 bytes of Python.

Scope of Affected Systems

The authencesn template was introduced in the Linux kernel in 2017 and has been present in every upstream release since. Red Hat's security bulletin notes that the flaw affects RHEL 8, 9, and 10 branches, with patches available for RHEL 10.1 and backports underway for older releases. Ubuntu's security team confirmed patched kernels for Ubuntu 22.04 LTS and 24.04 LTS are available. Debian, Fedora, Amazon Linux 2023, SUSE 16, AlmaLinux, and Arch Linux all confirmed patches in late April and early May 2026. Notably, the algif_aead module loads automatically on most configurations; administrators who believe they have restricted module loading should verify whether the module is present in their running kernel using lsmod | grep algif_aead.

What to Do Now: Patching, Mitigation, and Application-Layer Protection

Update your kernel immediately. If you manage Linux servers directly, this is not optional. On Debian/Ubuntu-based systems:

sudo apt update && sudo apt full-upgrade
sudo reboot

On RHEL/CentOS/AlmaLinux/Rocky Linux systems:

sudo dnf update kernel
sudo reboot

After rebooting, verify the running kernel with uname -r and confirm it matches a patched version listed in the vendor's advisory. A reboot is mandatory — the kernel cannot be replaced in memory on a running system without live-patching tools, and simply updating the package without rebooting leaves the vulnerable kernel active.

If you use CloudLinux: KernelCare live patches were published on 1 May 2026. For hosting environments where a reboot is disruptive, KernelCare applies the kernel patch without downtime. Check your CloudLinux partner dashboard or run kcarectl --update to apply available patches, and verify with kcarectl --info that the Copy Fail patch is applied.

Ask your hosting provider. If your website sits on shared or managed hosting, you may not have direct access to patch the underlying kernel yourself. Contact your hosting provider and ask explicitly whether they have applied the Copy Fail patch (CVE-2026-31431). A reputable provider should be able to answer within 24 hours. If they cannot confirm patch status, treat the environment as potentially vulnerable and apply the mitigations below.

Harden the application layer on your WordPress site. The realistic Copy Fail attack chain starts with a compromised web application — not with a user already logged in to your server. An attacker needs to gain that initial foothold (typically by exploiting a vulnerable plugin or theme) before they can run the privilege escalation exploit. Reducing the probability of that first step is the practical lever you control as a website owner, regardless of whether your host has patched.

A web application firewall (WAF) positioned in front of your site intercepts and blocks common exploitation attempts — including SQLi, file inclusion, and remote code execution attempts against WordPress plugins — before they reach your web application. Sucuri's cloud WAF sits between your domain and your origin server, filtering malicious traffic using rules that are updated continuously as new plugin vulnerabilities are disclosed. For a shared hosting environment where you cannot independently verify that CVE-2026-31431 has been patched, preventing the initial compromise at the application layer is a meaningful partial mitigation — if an attacker can't get a shell via your web application, Copy Fail never enters the picture.

Sucuri's scanner also performs periodic integrity checks on your WordPress files, alerting you if unexpected files appear or if known malware signatures are detected. This is relevant post-Copy Fail because if an attacker did achieve root on a shared server before patches were applied, the first thing they typically do is install a backdoor or web shell at the filesystem level — exactly the kind of artefact Sucuri's server-side scanner is designed to detect.

What Copy Fail Tells Us About Patch Management and Layered Defence

Copy Fail sits alongside Dirty Cow and Dirty Pipe in the short list of Linux kernel local privilege escalation vulnerabilities significant enough to earn a nickname and widespread press coverage. What distinguishes it from most members of that club is not just reliability — it is the nine-year dwell time. A flaw introduced in 2017 reached patched distributions in 2026 only because researchers happened to look at that code path. It was not the result of a systematic audit of the AF_ALG interface. The implication is that other nine-year-old bugs almost certainly exist in adjacent code paths, and their disclosure schedule is unpredictable.

This reality is what makes the Essential Eight's patch management control — Maturity Level 1 requires patching "internet-facing services" within two weeks of a patch becoming available, and Maturity Level 2 requires patching all operating systems within one month — specifically relevant to Copy Fail. An organisation operating at ML2 that maintains its patch currency would have a narrow window of exposure between the 29 April disclosure and the availability of patched kernels. An organisation where servers go unpatched for months, or where patch verification is inconsistent, may still be running vulnerable kernels today.

For Australian small businesses and website owners, the practical takeaway from Copy Fail is not simply "patch the kernel this week." It is that the threat model for a WordPress site on shared hosting includes the server infrastructure itself — not just the WordPress application layer. A compromise can originate from another tenant's unpatched plugin, escalate through a kernel vulnerability your host hasn't patched, and result in the attacker having root access to your site's files and database credentials without ever directly targeting you. You are downstream of decisions made by your hosting provider and by every other customer on the same physical host.

Layered defence accounts for this by not treating any single control as sufficient. The kernel patch addresses the privilege escalation step. Keeping WordPress, plugins, and themes updated reduces the probability of the initial foothold. A WAF such as Sucuri adds an application-layer filter that catches exploitation attempts before they reach the web server process. Regular malware scanning catches post-compromise indicators early enough that you can identify and contain an incident before it progresses to data exfiltration or ransomware deployment. Offsite backups ensure that even a full-compromise event doesn't mean permanent data loss.

None of these controls individually guarantees safety. Together, they compress the attacker's available window at each stage of a realistic attack chain. Copy Fail is a reminder that the infrastructure underlying your website is part of your security posture — and that asking your hosting provider hard questions about patch status is as legitimate a security practice as keeping your own software updated. Patch the systems you control, verify your WordPress site has no known-vulnerable plugins, and ensure your application layer has monitoring in place before the next kernel disclosure arrives.