Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years Threat Research Center High Profile Threats Vulnerabilities Vulnerabilities min read Related Products Cortex Cortex Cloud Cortex XDR Cortex XSIAM Unit 42 Incident Response By: Justin Moore Published: May 5, 2026 Categories: High Profile Threats Vulnerabilities Tags: Containers CVE-2026-31431 Kubernetes Linux Local privilege escalation Page cache Vulnerability Executive Summary On April 29, 2026, researchers publicly disclosed a highly reliable local privilege escalation (LPE) vulnerability tracked as CVE-2026-31431 .
This vulnerability is commonly referred to as Copy Fail. Discovered in about an hour through an AI-assisted process , this logic flaw allows an unprivileged local attacker to consistently escalate their access to root across virtually all major Linux distributions released since 2017. Unlike many kernel vulnerabilities, this logic flaw is deterministic, meaning it does not rely on race conditions or specific kernel offsets.
A single 732-byte Python script can successfully exploit it without any modification across different Linux distributions. The vulnerability originates in the Linux kernel's cryptographic subsystem, specifically within the algif_aead module of the AF_ALG interface (a user space crypto API). Rather than a single coding error, the flaw resulted from a combination of three independent updates: The addition of the authencesn algorithm in 2011 interface gaining AEAD support in 2015 A fatal in-place optimization introduced in 2017 During cryptographic operations, an in-place optimization bug causes the algorithm to use the destination buffer improperly, writing four controlled bytes past the legitimate region directly into the system's file page cache.
Impacted versions include Linux kernels between 4.14 and 6.19.12. This vulnerability affects millions of systems running mainstream distributions such as Ubuntu , Amazon Linux, Red Hat Enterprise Linux , Debian , SUSE and AlmaLinux. An attacker with standard local access can exploit this vulnerability to maliciously modify the in-memory cache of privileged executable files (like sudo ) without alerting integrity checks, as the physical files on disk remain unchanged.
Because the kernel and its page cache are shared across an entire node, this flaw allows attackers to: Easily break out of Kubernetes containers Overtake multi-tenant hosts Compromise continuous integration and continuous delivery (CI/CD) pipelines We strongly urge organizations to patch their systems immediately by applying vendor-issued kernel updates. Palo Alto Networks customers receive protections from and mitigations for CVE-2026-31431 through the following products: Next-Generation Firewall with Advanced Threat Prevention Cortex Cloud Cortex XDR XSIAM The Linux Foundation has posted an advisory with mitigation details for CVE-2026-314331.
Palo Alto Networks highly recommends applying vendor-issued kernel updates immediately. If this option is not feasible, we recommend following interim mitigation guidance to disable the vulnerable module until patches can be applied. Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk. Vulnerabilities Discussed CVE-2026-31431 Details of CVE-2026-31431 The vulnerability tracked as CVE-2026-31431, known as Copy Fail, is a deterministic logic flaw located in the Linux kernel's cryptographic subsystem, specifically within the interface.
The Root Cause The flaw originates from a buggy in-place optimization introduced to the Linux kernel in 2017 (commit 72548b093ee3 ) for AEAD encryption. This 2017 in-place optimization specifically caused req->src req->dst to point to a combined scatterlist. Because of this, the page cache pages from the splice() call were improperly chained directly into the writable destination scatterlist. During cryptographic operations, the algorithm improperly uses the caller's destination buffer as a scratch pad.
Because of this, it writes four controlled bytes past the legitimate output region, crossing a chained scatterlist boundary, and fails to restore them. The patch (commit a664bf3d603d ) fixes this by reverting the module to out-of-place operation, separating the source and destination scatterlists so that the page cache pages remain strictly in the read-only source. Mechanism of Action An unprivileged attacker can exploit this memory handling error by misusing the interaction between the socket interface and the system call.
When hands page-cache pages into the crypto subsystem, the vulnerability allows the attacker to direct that four-byte overwrite straight into the kernel's file page cache. algorithm is used for IPsec extended sequence number (ESN) support and uses the destination buffer as a scratch pad to rearrange these sequence numbers. The attacker controls the exact four-byte overwrite value by supplying the seqno_lo (the low half of the sequence number) inside bytes 4–7 of the Associated Authenticated Data (AAD) during the sendmsg() call.
Exploitation Via the Page Cache The page cache is the temporary in-memory copy of a file that the kernel reads when it loads a binary for execution. An attacker can leverage the four-byte overwrite to target the page cache of any readable setuid-root binary, such as /usr/bin/su , sudo passwd . The attacker controls exactly where the overwrite happens by manipulating the splice offset, the splice length and the assoclen (associated length) parameters.
This allows them to specifically target the .text section of a setuid binary like /usr/bin/su to inject their shellcode. Privilege escalation : Modifying the cached copy of the binary alters its execution context. When the binary is executed, it grants the attacker superuser (UID 0 ) privileges, effectively breaking the kernel's trust boundaries. Stealth : Because this corruption occurs entirely in the system's RAM, the physical file on the disk remains completely unmodified.
This bypasses traditional virtual file system (VFS) paths and file integrity monitoring tools. Once the page is evicted from memory or the system reboots, the cache reloads clean from the disk, leaving no trace of the compromise. Exploit Characteristics What makes Copy Fail exceptionally severe compared to previous Linux LPE vulnerabilities like Dirty Cow Dirty Pipe is its reliability and simplicity: No race conditions or offsets : It is a straight-line logic flaw that does not rely on winning a race condition window or guessing kernel-specific memory offsets. 100% reliability : The exploit is deterministic and fires successfully on the first attempt.
High portability : The exploit can be executed using a standalone 732-byte Python script that relies solely on standard libraries (os, socket, zlib), meaning no compilation or external dependencies are required. This same script works unmodified across virtually all major Linux distributions shipped since 2017. Interim Guidance for CVE-2026-31431 The vulnerability has been resolved in upstream Linux kernel stable branches by reverting the flawed 2017 optimization ( commit a664bf3d603d ).
If immediate patching is not possible, administrators should implement an interim mitigation by disabling the affected module. This can be accomplished by running the following commands as root to block the module's loading and remove it from the kernel: echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf rmmod algif_aead with mitigation details for CVE-2026-314331. Unit 42 Managed Threat Hunting Queries The Unit 42 Managed Threat Hunting team continues to track any attempts to exploit this CVE across our customers, using Cortex XDR and the XQL queries below.
Cortex XDR customers can also use these XQL queries to search for signs of exploitation. // Title: CopyFail Detection via Non-root Launching su via Uncommon Parent Process // Description: Query looks for non-root users launching the switch user (su) process via a parent process other than the normally expected processes such as shells, sudo, or su itself. May identify false positives, yet works well for identification of potential CopyFail exploitation. // MITRE ATT&CK TTP ID: T1068 dataset = xdr_data | fields _time, agent_hostname, agent_os_type, event_type, event_sub_type, actor_effective_username, actor_effective_user_sid, actor_process_image_path, actor_process_image_name, actor_process_command_line, actor_process_image_sha256, action_process_image_name, action_process_image_command_line, action_process_user_sid | filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START and agent_os_type = ENUM.AGENT_OS_LINUX and actor_effective_user_sid != "0" and ( (action_process_image_name = "su" and action_process_image_command_line in ("su", "/usr/bin/su")) or (action_process_image_name in ("bash", "sh") and action_process_image_command_line ~= "-c(?:\s--)?\ssu$") and actor_process_image_name not in ("bash", "sh", "zsh", "ksh", "sudo", "su") | comp earliest(_time) as first_seen, latest(_time) as last_seen, count() as execution_count, values(actor_effective_username) as actor_usernames, values(actor_process_image_path) as actor_image_paths, values(actor_process_command_line) as actor_cmd_lines, values(action_process_image_command_line) as action_cmd_lines, values(action_process_user_sid) as action_UIDs by agent_hostname, actor_process_image_name, actor_process_image_sha256 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 // Title: CopyFail Detection via Non-root Launching su via Uncommon Parent Process // Description: Query looks for non-root users launching the switch user (su) process via a parent process other than the normally expected processes such as shells, sudo, or su itself.
May identify false positives, yet works well for identification of potential CopyFail exploitation. // MITRE ATT&CK TTP ID: T1068
dataset xdr_data | fields _time , agent_hostname , agent_os_type , event_type , event_sub_type , actor_effective_username , actor_effective_user_sid , actor_process_image_path , actor_process_image_name , actor_process_command_line , actor_process_image_sha256 , action_process_image_name , action_process_image_command_line , action_process_user_sid | filter
event_type ENUM . PROCESS event_sub_type ENUM . PROCESS_START
and agent_os_type ENUM . AGENT_OS_LINUX
and actor_effective_user_sid "0" and (
( action_process_image_name "su" action_process_image_command_line ( "su" , "/usr/bin/su" ) )
or ( action_process_image_name ( "bash" , "sh" ) "-c(?:\s--)?\ssu$" )
) actor_process_image_name "sh" , "zsh" , "ksh" , "sudo" , "su" ) | comp earliest ( _time ) first_seen , latest ( _time ) last_seen , count ( ) execution_count , values ( actor_effective_username ) actor_usernames ,
values ( actor_process_image_path ) actor_image_paths , values ( actor_process_command_line ) actor_cmd_lines , values ( action_process_image_command_line ) action_cmd_lines , values ( action_process_user_sid ) action_UIDs actor_process_image_sha256 // Title: CopyFail Proof of Concept Code Execution // Description: Query looks for potential CopyFail proof of concept (POC) code execution via identifying potentially correlated curl and su process executions.
May identify false positives, yet works well for identification of CopyFail POC provided by Xint.Code. config case_sensitive = false | dataset = xdr_data | filter agent_os_type = ENUM.AGENT_OS_LINUX | filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START | filter action_process_image_name in ("curl", "su") | bin _time span = 2m | filter action_process_image_command_line contains "copy.fail/exp" or (action_process_image_command_line = "su" or action_process_image_command_line ="/usr/bin/su") | fields _time, agent_id, event_id, agent_hostname, action_process_image_command_line, action_process_image_name, actor_process_instance_id | comp count() as event_count, values(agent_id) as agent_id, values(event_id) as event_id, values(action_process_image_name) as processes, values(action_process_image_command_line) as commands by agent_hostname, _time, actor_process_instance_id | filter processes contains "su" and processes contains "curl" 1 2 3 4 5 6 7 8 9 10 11 12 13 14 // Title: CopyFail Proof of Concept Code Execution // Description: Query looks for potential CopyFail proof of concept (POC) code execution via identifying potentially correlated curl and su process executions.
May identify false positives, yet works well for identification of CopyFail POC provided by Xint.Code. // MITRE ATT&CK TTP ID: T1068
config case_sensitive false | dataset filter ENUM . AGENT_OS_LINUX | event_type ENUM . PROCESS_START | action_process_image_name ( "curl" , _time span 2m | contains "copy.fail/exp" ( action_process_image_command_line = "/usr/bin/su" ) | agent_id , event_id , actor_process_instance_id | event_count , values ( agent_id ) values ( event_id ) values ( action_process_image_name ) processes , commands processes "curl" Conclusion Based on the amount of publicly available information, the ease of use and the effectiveness of the Copy Fail exploit, Palo Alto Networks highly recommends applying vendor-issued kernel updates immediately.
If this option is not feasible, we recommend following interim mitigation guidance to disable the vulnerable module until patches can be applied. This is especially important, given that a highly reliable proof-of-concept (PoC) script is already publicly available and preliminary testing activity has been observed. Palo Alto Networks customers are better protected by our products, as listed below. Palo Alto Networks Product Protections for CVE-2026-31431 Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat.
Next-Generation Firewalls With Advanced Threat Prevention with the security subscription can help block transmitting exploit scripts over the network with the following Threat Prevention signature: 97176 - Linux Kernel Privilege Escalation Vulnerability. Cortex XDR and XSIAM Cortex XDR agent for Linux, starting from content update 2240-35441, contains detection and prevention capabilities for known samples that are related to the Copy Fail vulnerability. help protect against pre-exploitation and post-exploitation activities, using the multi-layer protection approach, including Advanced WildFire , Endpoint Protection Modules (EPM), Behavioral Threat Protection and the Local Analysis module.
Cortex Cloud endpoint protection can help protect organizations from threats expressed within this article. Cortex Cloud 2.1 detect and prevent malicious operations using behavioral and AI-enabled analytics to detect when attackers target Linux endpoints, including containers and virtual machines. Additionally, it can detect when cloud platform IAM policies associated with those targeted endpoints are being misused and alert teams when assets are vulnerable to these threats.
If you think you might have been compromised or have an urgent matter, get in touch with the or call: North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42) UK: +44.20.3743.3660 Europe and Middle East: +31.20.299.3130 Asia: +65.6983.8730 Japan: +81.50.1790.0200 Australia: +61.2.4062.7950 India: 000 800 050 45107 South Korea: +82.080.467.8774 Updated May 6, 2026, at 3:15 p.m. PT to expand coverage for Cortex XDR and XSIAM and to add Next-Gen Firewalls with Advanced Threat Prevention.
Updated May 7, 2026, at 2:00 p.m. PT to change Cortex XDR content version. Tags Containers CVE-2026-31431 Kubernetes Linux Local privilege escalation Page cache Vulnerability Threat Research Center Next: The npm Threat Landscape: Attack Surface and Mitigations (Updated May 1) Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution Understanding Current Threats to Kubernetes Environments 01flip: Multi-Platform Ransomware Written in Rust Related Vulnerabilities Resources High Profile Threats May 6, 2026 CVE-2026-0300 EarthWorm PAN-OS Read now Threat Research April 16, 2026 A Deep Dive Into Attempted Exploitation of CVE-2023-33538 Botnet Command injection CVE-2023-33538 February 19, 2026 VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731) Bash CVE-2026-1731 PowerShell February 17, 2026 Critical Vulnerabilities in Ivanti EPMM Exploited CVE-2026-1281 CVE-2026-1340 Ivanti January 30, 2026 Privileged File System Vulnerability Present in a SCADA System CVE-2025-0921 Privilege escalation SCADA January 13, 2026 Threat Brief: MongoDB Vulnerability (CVE-2025-14847) CVE-2025-14847 MongoDB Remote Code Execution With Modern AI/ML Formats and Libraries Apple CVE-2025-23304 CVE-2026-22584 December 12, 2025 Exploitation of Critical Vulnerability in React Server Components (Updated December 12) Cobalt Strike CVE-2025-55182 CVE-2025-66478 November 10, 2025 You Thought It Was Over?
Authentication Coercion Keeps Evolving Mimikatz PrintNightmare Get updates from Unit 42 Peace of mind comes from staying ahead of threats. Subscribe today. Your Email Subscribe for email updates to all Unit 42 threat research. By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. This site is protected by reCAPTCHA and the Google Privacy Policy Terms of Service apply.
Invalid captcha! Subscribe Get the latest news, invites to events, and threat alerts Enter your email now to subscribe! Sign up By submitting this form, I understand my personal data will be processed in accordance with Palo Alto Networks Privacy Statement Terms of Use. Products and Services AI-Powered Network Security Platform Secure AI by Design Prisma AIRS AI Access Security Cloud Delivered Security Services Advanced URL Filtering Advanced WildFire Advanced DNS Security Enterprise Data Loss Prevention Enterprise IoT Security Medical IoT Security Industrial OT Security SaaS Security Next-Generation Firewalls Hardware Firewalls Software Firewalls Strata Cloud Manager SD-WAN for NGFW Panorama Secure Access Service Edge Prisma SASE Application Acceleration Autonomous Digital Experience Management Enterprise DLP Prisma Access Prisma Browser Prisma SD-WAN Remote Browser Isolation AI-Driven Security Operations Platform Cloud Security Application Security Cloud Posture Security Cloud Runtime Security Prisma Cloud AI-Driven SOC Cortex XSIAM Cortex XSOAR Cortex Xpanse Unit 42 Managed Detection & Response Managed XSIAM Next-Generation Identity Security Privileged Access Management Identity and Access Management Endpoint Privilege Manager Identity Governance Workforce Password Management Agentic Identities Secrets Management Unified Secrets Governance Application Credentials Delivery Vendor Privileged Access Threat Intel and Incident Response Services Proactive Assessments Incident Response Transform Your Security Strategy Discover Threat Intelligence Company About Us Careers Contact Us Corporate Responsibility Customers Investor Relations Location Newsroom Popular Links Blog Communities Content Library Cyberpedia Event Center Manage Email Preferences Products A-Z Product Certifications Report a Vulnerability Sitemap Tech Docs Unit 42 Do Not Sell or Share My Personal Information Your browser does not support the video tag.
Default Heading Read the article Seekbar Volume