DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-31431: CVE-2026-31431: Local Privilege Escalation via Page Cache Corruption in Linux Kernel AF_ALG

#security #cve #cybersecurity

CVE-2026-31431: Local Privilege Escalation via Page Cache Corruption in Linux Kernel AF_ALG

Vulnerability ID: CVE-2026-31431
CVSS Score: 7.8
Published: 2026-04-22

CVE-2026-31431, colloquially known as "Copy Fail," is a critical logic flaw in the Linux kernel's Cryptographic API (specifically the algif_aead module). It allows an unprivileged local user to perform a deterministic, controlled 4-byte write into the read-only page cache of any accessible file on the system. By corrupting the in-memory representation of SUID binaries, an attacker achieves local privilege escalation to the root user and can successfully escape containerized environments.

TL;DR

A logic flaw in the Linux kernel's AF_ALG socket interface allows unprivileged users to overwrite the page cache of SUID binaries via the splice() system call, yielding deterministic Local Privilege Escalation (LPE) and container escapes.

⚠️ Exploit Status: WEAPONIZED

Technical Details

  • CWE ID: CWE-669
  • Attack Vector: Local
  • CVSS Score: 7.8
  • EPSS Score: 0.00008
  • Impact: Privilege Escalation / Container Escape
  • Exploit Status: Weaponized PoC Available
  • CISA KEV Status: Not Listed

Affected Systems

  • Linux Kernel 4.14 through 6.18.22
  • Linux Kernel 6.19.0 through 6.19.12
  • Ubuntu 24.04 LTS (6.17.0-1007-aws)
  • Amazon Linux 2023 (6.18.8-9.213.amzn2023)
  • RHEL 10.1 (6.12.0-124.45.1.el10_1)
  • SUSE 16 (6.12.0-160000.9-default)
  • Linux Kernel: >= 4.14, <= 6.18.22
  • Linux Kernel: >= 6.19.0, <= 6.19.12

Code Analysis

Commit: a664bf3

crypto: algif_aead - Remove in-place operation optimization

Exploit Details

  • GitHub (Theori): 732-byte Python script for Local Privilege Escalation via /usr/bin/su modification

Mitigation Strategies

  • Apply the official vendor kernel patch incorporating commit a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5.
  • Disable the algif_aead kernel module via modprobe configuration.
  • Implement Auditd rules to monitor for unprivileged AF_ALG socket creation and splice system calls.

Remediation Steps:

  1. Verify the current kernel version using uname -r.
  2. Create a modprobe override file: echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf.
  3. Attempt to unload the active module: rmmod algif_aead 2>/dev/null || true.
  4. Apply distribution-specific package updates (e.g., apt update && apt upgrade linux-image-generic).
  5. Reboot the system to ensure the patched kernel is active and the page cache is flushed.

References

Read the full report for CVE-2026-31431 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)