Cybersecurity researchers have revealed details of a Linux local privilege escalation (LPE) flaw that could allow unprivileged local users to gain root.
This high-severity vulnerability, tracked as CVE-2026-31431 (CVSS score: 7.8), has been codenamed Copy Fail by Xint.io and Theori.
“An unprivileged local user can write a controlled 4 bytes to the page cache of a readable file on a Linux system and use it to gain root,” the Xint.io and Theori vulnerability research team said.
The core of this vulnerability is due to a logical flaw in the Linux kernel’s cryptographic subsystem, specifically the algif_aead module. This issue was introduced in a source code commit made in August 2017.
Successful exploitation of this flaw could allow a simple 732-byte Python script to edit a setuid binary and gain root on almost any Linux distribution shipped since 2017, including Amazon Linux, RHEL, SUSE, and Ubuntu. The Python exploit involves four steps.
Open the AF_ALG socket and bind to authencesn(hmac(sha256),cbc(aes)). Build the shellcode payload. Triggers a write operation to the kernel’s cached copy of ‘/usr/bin/su’. Call execve(“/usr/bin/su”) to load the injected shellcode and run it as root.
Although this vulnerability cannot be exploited independently and remotely, a local unprivileged user can gain root simply by corrupting the page cache of a setuid binary. The same primitives also have cross-container implications because the page cache is shared by all processes on the system.
In response to this disclosure, Linux distributions released their own advisories.
The copy failure is mirrored in another Linux kernel LPE vulnerability, Dirty Pipe (CVE-2022-0847), which allows an unprivileged user to combine data into the page cache of read-only files and ultimately overwrite sensitive files on the system and potentially execute code.
“Copy failures are primitives of the same class in different subsystems,” said David Brumley of Bugcrowd. “A 2017 in-place optimization in algif_aead allows page cache pages to enter the kernel’s writable destination scatter list for AEAD operations sent over an AF_ALG socket. An unprivileged process can then dispatch a splice() to that socket and complete a small, targeted write to the page cache for a file it does not own.”
What makes this vulnerability dangerous is that it can be triggered reliably and does not require a race condition or kernel offset. Additionally, the same exploit works across distributions.
“This vulnerability is unique because it has four characteristics that rarely appear together: portability, small size, stealth, and cross-container nature,” a Xint.io spokesperson told The Hacker News in a statement. “This enhances the privileges of all user accounts, no matter how low-level, to full administrative access. It also allows sandboxing to be bypassed and works on all Linux versions and distributions.”
Source link
