Critical Linux Kernel Vulnerability CopyFail Rocks the Security Community

On April 30, 2026, security research firm Theori publicly disclosed a Linux kernel vulnerability codenamed CopyFail (CVE-2026-31431), along with working exploit code. Security experts are calling it “the most severe Linux security threat to surface in years.”

The vulnerability was privately reported to the Linux kernel security team five weeks ago. While the kernel team has already issued patches across multiple versions — including 7.0, 6.19.12, 6.18.12, 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254 — the vast majority of Linux distributions have not yet incorporated these fixes into their update packages, leaving hundreds of millions of servers and devices worldwide still exposed.

How the Vulnerability Works

CopyFail stems from an in-place optimization flaw in the Linux kernel’s cryptographic API (AF_ALG) introduced in 2017. The defect allows page cache pages to end up in writable destination scatterlists, enabling privilege escalation.

Critically, the attack requires only an unprivileged local user account — no network access, no kernel debugging features, no pre-installed primitives. Since AF_ALG ships enabled in essentially every mainstream distribution’s default configuration, the entire range from the 2017 patch window to current versions is vulnerable out of the box.

Who Is at Risk?

The scope of CopyFail is extraordinarily broad, affecting virtually every Linux deployment scenario:

• Multi-tenant Linux hosts: Shared dev boxes, shell-as-a-service, jump hosts, build servers
• Kubernetes/container clusters: The page cache is shared across the host; a container with the right primitives can compromise the node and cross tenant boundaries
• CI/CD pipelines: GitHub Actions self-hosted runners, GitLab runners, Jenkins agents — anything executing untrusted PR code as a regular user on a shared kernel
• AI and cloud computing: Notebook hosts, agent sandboxes, serverless functions, any tenant-supplied container or script environment

Automated Exploitation Already Demonstrated

Adding to the urgency, Theori demonstrated the vulnerability’s automated exploitation capability. Their tool successfully scanned and compromised Redis, PostgreSQL, and MariaDB database systems with zero human intervention. The project was also a finalist in the DoD DARPA AI Cyber Challenge.

Remediation

Security experts strongly recommend that all Linux system administrators take immediate action:

1. Patch immediately: Update your distribution’s kernel package to one that includes mainline commit a664bf3d603d, which reverts the 2017 algif_aead in-place optimization. Most major distributions are now shipping the fix.
2. Multi-tenant environments first: Cloud providers and container cluster operators should treat this as the highest priority.
3. Single-tenant systems: While not directly exposing remote attack vectors, any local code execution on these systems will escalate to root.

This incident underscores the critical importance of open-source supply chain security. A nearly decade-old kernel optimization flaw, once its exploit code is publicly released, can pose devastating risks to global internet infrastructure.

Source: Ars Technica | CopyFail