Copy Fail (CVE-2026-31431) — Patch Every Linux Server You Run

Copy Fail (CVE-2026-31431) — Patch Every Linux Server You Run

A serious Linux kernel privilege escalation vulnerability called Copy Fail, tracked as CVE-2026-31431, was publicly disclosed on April 29, 2026 and is now confirmed to affect every major Linux distribution shipping kernels released between 2017 and the patched April 2026 builds. Microsoft published a coordinated advisory on May 1, 2026, Ubuntu released kernel updates the same week, and the Laravel Forge team has issued a customer advisory recommending immediate reboots. Anyone running Linux on a server, in a container, or on a managed platform should treat this as urgent maintenance work, not a future ticket.

This article summarises what Copy Fail is, who is affected, exactly what to do today, and the longer-term hardening that the disclosure should trigger across your fleet. The technical details below come from the public Microsoft, Ubuntu, Tenable, Sysdig, and CERT-EU advisories. Specific commands and version numbers are taken verbatim from those vendor advisories.

What Copy Fail Is

Copy Fail is a local privilege escalation flaw in the Linux kernel's userspace cryptographic API. The defect lives in the algif_aead module that backs the AF_ALG socket interface, where the kernel exposes its in-kernel crypto primitives to userspace processes. The bug originates from an in-place optimisation introduced in 2017 that lets the kernel reuse the source memory of an authenticated encryption operation as the destination buffer to avoid an extra allocation. Under specific conditions, the source and destination references can desynchronise.

When that desynchronisation is combined with a particular call pattern against the splice() system call, an attacker can perform a controlled four-byte write into the kernel's page cache. The page cache holds the in-memory representation of files that the kernel has read from disk, including privileged binaries such as /usr/bin/su, /usr/bin/sudo, and the dynamic linker. By corrupting the cached copy of one of those binaries, an attacker can change its behaviour the next time it executes — without ever modifying the file on disk.

The on-disk file remains unchanged, the file's permissions remain unchanged, and the file's checksum on disk remains unchanged. The only difference is that the in-memory copy that the kernel hands to execve is no longer the binary the system administrator installed. When that tampered binary runs, it yields full root privileges. From the system's own perspective, the privileged binary executed normally.

Researchers describe the resulting exploit as deterministic, free of race conditions, and small enough to fit in roughly 732 bytes of code. It works across distributions with no per-target tuning. That combination — deterministic, in-memory, cross-platform, and tiny — is what places Copy Fail in the same conversation as Dirty COW and Dirty Pipe.

Who Is Affected

Copy Fail affects every Linux distribution that has shipped a kernel with the AF_ALG in-place optimisation since 2017 and that has not yet applied the April 2026 fix. The publicly confirmed list includes Ubuntu 20.04, 22.04, and 24.04 LTS, Red Hat Enterprise Linux 10.1, SUSE Linux Enterprise 16, Amazon Linux 2023, Debian, Fedora, and Arch Linux. Ubuntu 18.04 has reached end of life and will not receive a community patch under standard support; Extended Security Maintenance customers should consult the Ubuntu Pro feed.

The exposure model is local privilege escalation. The vulnerability does not provide remote code execution by itself. An attacker needs a foothold on the system first — an unprivileged shell, a low-privilege service account, a workload running in a container, or a CI/CD job runner — and then uses Copy Fail to escalate to root.

That sounds like a smaller risk than a remote exploit, but in modern infrastructure the gap between "attacker on the box" and "attacker is root" is the gap most defences depend on. Multi-tenant systems, container platforms, CI/CD runners, shared development environments, and any setup where untrusted code can run with even minimal privileges are all in scope. Copy Fail collapses that gap to a few seconds.

Why It Is Especially Dangerous in Containers and Kubernetes

In container and Kubernetes environments, the host kernel is shared by every workload on a node. Containers do not run a separate kernel; they share the host's. A privilege escalation inside any container becomes a privilege escalation on the host kernel, and from there into other containers on the same node.

The AF_ALG interface is reachable from inside most default container configurations because it is part of the standard kernel socket API and is not blocked by the default seccomp profile in many distributions. Kernel security advisories from Microsoft and Sysdig specifically warn about container breakout potential, multi-tenant compromise, and lateral movement across pods sharing a node. CI/CD runners that execute customer code with relaxed isolation are a particularly attractive target because the attacker controls the workload that gets to call the vulnerable interface.

If you run Kubernetes, GitLab Runners, GitHub Actions self-hosted runners, build farms, or any platform that executes untrusted code, every node should be patched and rebooted on the same urgency as the public-facing surface.

What Was Patched and When

Ubuntu released kernel updates that contain the Copy Fail fix on April 2, 2026. The Laravel Forge advisory recommends verifying that the kernel package date on Ubuntu 20.04 and 22.04 hosts is April 2, 2026 or later. On Ubuntu 24.04 LTS the patched kernel package version is 6.8.0-107.107 or above. Backports are available for Ubuntu 22.04 and 20.04. Other distributions have published their own coordinated patches; consult your vendor's security tracker for exact package versions.

The patch does not require a configuration change. It does, however, require a kernel reboot to take effect. Installing a new kernel package without rebooting leaves the running kernel vulnerable until the next restart, regardless of what the package manager reports. Live kernel patching products (kpatch, Canonical Livepatch, kSplice) have published Copy Fail patches that apply without a reboot for customers who use them, but a real reboot is still the recommended baseline.

The 30-Minute Patch Plan

For most teams the right plan is straightforward and can be completed in a maintenance window of half an hour or less per server.

First, take an inventory. Identify every Linux host you operate, including production servers, staging servers, build runners, control planes, ephemeral cloud instances that survive longer than a single job, and any host that runs container workloads. Workstations and developer laptops that run Linux are also in scope, especially if they receive untrusted source code.

Second, apply the kernel update. On Debian and Ubuntu hosts the canonical command is apt-get update, then apt-get upgrade, then reboot. On RHEL, AlmaLinux, Rocky, and Amazon Linux 2023 hosts it is dnf update kernel followed by a reboot. On SUSE it is zypper patch followed by a reboot. On Arch and rolling distributions the upstream kernel package contains the fix once your mirrors have synced.

Third, verify after reboot. Run uname -r to confirm the running kernel is the patched version, and check the timestamp on the kernel package. A successful patch shows a kernel version above your distribution's published fix line and a package date matching or exceeding the vendor's advisory.

Fourth, plan for cloud-specific quirks. On AWS, rebooting an instance with a stopped-and-started lifecycle releases its public IP unless an Elastic IP is attached. The Laravel Forge team specifically calls this out: after the reboot, update any IP allow-lists, dashboards, and DNS entries that referenced the old address. On most other cloud providers a regular reboot preserves the public IP, but verify against your provider's documentation before a fleet-wide rolling restart.

Temporary Mitigation If You Cannot Reboot Yet

If a reboot is not immediately possible — for example, on a system mid-batch-job or under a hard maintenance freeze — the AF_ALG userspace crypto interface can be disabled at the module level. The mitigation prevents the vulnerable code path from being reached at all. The standard form of the workaround, taken from the Laravel Forge and Ubuntu advisories, is to add an install algif_aead /bin/false entry to a file under /etc/modprobe.d/, then unload the module with rmmod algif_aead.

This mitigation is non-disruptive for the vast majority of production workloads. The AF_ALG interface is only used by applications that explicitly opt in to userspace access to the kernel crypto API. Standard TLS, SSH, dm-crypt and LUKS full-disk encryption, kTLS, IPsec, and the OpenSSL and GnuTLS libraries do not depend on the vulnerable module and are unaffected by disabling it. If you are unsure, search your application logs for AF_ALG, or check whether any binary on your system links the libkcapi library; if it does, test before disabling.

The mitigation buys time. It is not a substitute for the patched kernel and the reboot. Schedule the full patch as the next available maintenance window even if the workaround is in place.

Verification That You Are Actually Safe

A surprisingly common failure mode after a kernel advisory is "we ran apt-get upgrade so we are fine," when in fact the running kernel is still the old one because no reboot happened. Verify the patch using all three of these signals: the running kernel version reported by uname -r, the timestamp of the installed kernel package, and the absence of any needrestart prompt indicating that processes are still using the old libraries.

For larger fleets, drive the verification from your configuration management or observability stack. A Prometheus exporter such as node_exporter publishes the running kernel version through the node_uname_info metric. A simple alert on "any host whose kernel version is below the published patched version" turns Copy Fail into a tracked compliance check rather than a one-off scramble.

What This Disclosure Should Change

The proximate fix for Copy Fail is a package update and a reboot. The longer-term lesson is that a logic flaw introduced in 2017 sat in the kernel for nine years, in a code path reachable from default container configurations, on every major distribution. The defence in depth that limits the damage of a flaw like this is the same defence in depth that limits all kernel privilege escalations. If your fleet is missing one of these layers, treat Copy Fail as the prompt to add it.

Run a default seccomp profile that denies unused syscalls, including AF_ALG socket creation, on container runtimes that allow it. Use rootless containers or user namespaces wherever the workload supports them, so that container root is not host root. Disable kernel modules that no application on the host actually uses, and keep an inventory of which modules are loaded versus which modules are needed. Subscribe every host to a managed kernel patch feed, with automated reboots scheduled inside a defined window per environment, so that the time between disclosure and full fleet remediation is measured in hours rather than days.

For multi-tenant platforms, the lesson is sharper still: a shared kernel is shared trust. Every customer workload that runs on the same node trusts every other workload not to hold a kernel zero-day. Microvm isolation (Firecracker, Kata Containers) and per-tenant nodes are the only architectural answers to that class of risk.

Reference

Copy Fail is tracked publicly as CVE-2026-31431. The Microsoft Security Blog, Ubuntu security blog, Laravel Forge knowledge base, CERT-EU, Sysdig, Tenable, and the Canadian Centre for Cyber Security all publish advisories with vendor-specific patch details. Customers running managed platforms should also consult their provider's security tracker for any platform-side mitigations that may already be in place. The patched kernel and a reboot remain the only fully complete remedy.