TL;DR: A high-severity local privilege escalation vulnerability in the Linux kernel has been publicly disclosed with a working exploit. Patches are available now for Rocky Linux 8.10, 9.7, and 10.1. Update your kernel and reboot.
What happened
On April 29, security researchers from Theori disclosed a Linux kernel vulnerability they named CopyFail, tracked as CVE-2026-31431. The flaw has been present in essentially every mainstream Linux kernel built since 2017.
The bug sits in the kernel’s algif_aead module – the AEAD socket interface of the userspace crypto API (AF_ALG). A logic flaw in authencesn, chained through AF_ALG and the splice() system call, allows an unprivileged local user to perform a controlled 4-byte write into the page cache. By corrupting the in-memory copy of a setuid binary like /usr/bin/su – without touching anything on disk – an attacker can escalate to root in seconds.
What makes this one stand out: the 732-byte Python proof-of-concept requires no race conditions, no per-distribution tuning, and no special privileges. The same script works unmodified across distributions. File integrity tools won’t catch it because nothing on disk changes. This makes it especially dangerous on multi-tenant hosts, Kubernetes nodes, and CI/CD runners where a shared page cache means one compromised workload can threaten the whole node.
The researchers have published the exploit publicly. Treat this as actively exploitable.
How to fix it
Patches are available now for all supported Rocky Linux releases. Run the following and reboot:
bash
sudo dnf --refresh update ‘kernel*’
sudo reboot
That’s it. The --refresh flag ensures you pull the latest metadata without re-downloading packages you already have.
Patched kernel versions:
-
Rocky Linux 8.10: kernel-4.18.0-553.123.1.el8_10 and above
-
Rocky Linux 9.7: kernel-5.14.0-611.54.1.el9_7 and above
-
Rocky Linux 10.1: kernel-6.12.0-124.55.1.el10_1 and above
Confirm your running kernel after reboot with uname -r.
A note on the algif_aead module
You may have seen advice elsewhere to disable algif_aead via rmmod or a modprobe.d entry as an interim workaround. On Rocky Linux, that approach does not apply – algif_aead is compiled directly into the kernel image (CONFIG_CRYPTO_USER_API_AEAD=y), not shipped as a loadable module. The correct fix is the kernel update above.
Thank you
Thanks to Brian Pak and the team at Xint Code (Theori) for finding this, handling coordinated disclosure responsibly, and publishing a thorough technical write-up. If you want to understand exactly how a single logic bug becomes a fully reliable privilege escalation, their write-up is worth your time.
Additional reading
-
copy.fail – Researcher disclosure site with technical details and the proof-of-concept
-
Xint Code technical write-up – Full root cause analysis and exploit mechanics
-
CVE-2026-31431 on NVD – Official CVE record
-
GitHub: theori-io/copy-fail-CVE-2026-31431 – Exploit source and issue tracker
Ars Technica coverage – Broader context on industry response