Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years

Palo Alto Networks Unit 42 describes CVE-2026-31431 ("Copy Fail"), a deterministic local privilege escalation in the Linux kernel's AF_ALG/algif_aead crypto code affecting kernels 4.14–6.19.12; a 732-byte Python PoC can reliably overwrite four bytes in the page cache to tamper with setuid binaries (e.g., su, sudo), enabling root escalation across many major distributions. The advisory details root cause, exploitation steps, detection queries, recommended immediate patching or disabling of the algif_aead module as an interim mitigation, and notes public PoC availability and observed preliminary testing.