This critical Linux vulnerability is putting millions of systems at risk - how to protect yours

Tech Home Tech Services & Software Operating Systems Linux This critical Linux vulnerability is putting millions of systems at risk - how to protect yours Don't ignore the Copy Fail Linux vulnerability. It's serious, but protecting yourself from it is easy. Written by Jack Wallen, Contributing WriterContributing Writer May 5, 2026 at 7:47 a.m. PT

Follow ZDNET: Add us as a preferred source on Google.

ZDNET key takeaways

• Copy Fail is a dangerous Linux vulnerability.
• This flaw makes gaining root access easy for attackers.
• Copy Fail affects millions of Linux systems.

CVE-2026-31431, also known as Copy Fail, is a critical Linux kernel vulnerability that's been hiding out since 2017 and is now getting the security spotlight it deserves.

Also: This simple Linux tweak fixes crashes automatically - and it costs me nothing

Oftentimes, Linux vulnerabilities can be a bit overblown, but not in this case. Copy Fail is serious business and should be considered an issue that must be mitigated.

What is Copy Fail?

Let's talk about Copy Fail in terms that anyone can understand.

Imagine your computer's memory as a chalkboard, where a teacher keeps track of your grades in real time. You don't allow students to use either chalk or erasers, so they can't change their grades. The "Copy Fail" vulnerability is like a sneaky student who somehow gains access to an eraser and chalk, and he changes just his grade while you're not looking.

Essentially, Copy Fail is a flaw in the Linux system responsible for handling the security of certain types of data. The flaw allows an attacker with basic access to a system to alter a crucial piece of data in the computer's RAM. Once the change is made, the altered data can trick the system into thinking that the attacker is the root user, granting the attacker full control of the system.

Also: 6 reasons a minimal Linux install might be the smartest move you make

Think of it this way: A janitor takes the nameplate from the boss's office and slaps it on the wall beside his closet so everyone thinks he is the boss.

That's Copy Fail.

A difference between Copy Fail and other vulnerabilities that have hit Linux is that this one doesn't require specific timing or certain events to happen in an exact order. It's much easier, and its effects can be devastating.

A bit more detail

For those who want a bit more detail about Copy Fail: It abuses the AF_ALG socket interface and splice() system call to overwrite a mere 4 bytes in the kernel's page cache for any readable file. Once this occurs, attackers can then modify the setuid binaries, such as the su command, that are in memory to gain root access.

Copy Fail is different from "race condition" exploits because it's a stable, straight-line vulnerability that doesn't require timing-dependent retries to elevate permissions.

Also: The first 8 Linux commands every new user should learn

Copy Fail affects all Linux kernels from 4.14 to 6.19.12. You read that right: kernels from 2017 to the present.

According to the Xint Code Research Team, "This finding was AI-assisted, but began with an insight from Theori researcher Taeyang Lee, who was studying how the Linux crypto subsystem interacts with page-cache-backed data. He used Xint Code to scale his research across the entire crypto subsystem, and Copy Fail was the most critical finding in the report."

How to avoid Copy Fail

The easiest way to mitigate the Copy Fail Linux vulnerability is to update your kernel to the latest version. To find out if your kernel has been patched against Copy Fail, issue the following command:

dpkg -l kmod grep -qE '^algif_aead ' /proc/modules && echo "Affected module is loaded" || echo "Affected module is NOT loaded"

If your kernel has been patched, you'll see "Affected module is NOT loaded." If your kernel has not been patched, you'll see "Affected module is loaded." If you run into the latter, make sure to update your system and rerun the command. If, after an update, your system is still not patched, you can disable the algif_aead module with the command:

install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf

Also: You can use Linux 7.0 on these 7 distros today - here's what to expect

You can then unload the module with:

rmmod algif_aead

You now know enough about Copy Fail to stay protected.

Open Source

How AI has suddenly become much more useful to open-source developers Google's Gemma 4 model goes fully open-source and unlocks powerful local AI - even on phones Why AI is both a curse and a blessing to open-source software - according to developers I tried a Claude Code rival that's local, open source, and completely free - how it went

• How AI has suddenly become much more useful to open-source developers
• Google's Gemma 4 model goes fully open-source and unlocks powerful local AI - even on phones
• Why AI is both a curse and a blessing to open-source software - according to developers
• I tried a Claude Code rival that's local, open source, and completely free - how it went

Editorial standards Show Comments Log In to Comment Community Guidelines

Related

Google Pixel vs. Samsung Galaxy: I've tested both brands extensively, and there's a clear winner

Google Maps vs. Waze: I've driven with the two best navigation apps, and one is much better

The best laptops you can buy: Expert tested