CVE-2026-31431: 732 Bytes Gets You Root on Every Linux Distro
A 9-year-old kernel bug. 732-byte exploit. Works identically on Ubuntu, RHEL, Debian, Fedora, Amazon Linux. No race condition needed. On CISA KEV. Patch your servers.
#732 bytes. That's the entire exploit.
CVE-2026-31431, nicknamed "CopyFail." A logic flaw in the Linux kernel's algif_aead module that lets any unprivileged user write controlled bytes into the page cache of any readable file. Including privileged binaries. A 732-byte proof of concept overwrites a SUID binary's cached pages to gain root.
No race condition. No timing dependency. No ASLR bypass. Deterministic. Run it, get root. Works identically on Ubuntu, RHEL, Debian, SUSE, Fedora, Amazon Linux, Rocky, Alma, Oracle Linux. Every mainstream distro shipping kernels built from 2017 to early 2026.
Nine years this bug existed. On CISA KEV with confirmed active exploitation.
#Why this matters for businesses.
If you run any Linux servers (web servers, database servers, application servers, containers on Linux hosts), every user account on those servers has a path to root. A compromised web application, a leaked SSH key, a low-privilege service account, anything that gives an attacker a shell on a Linux box gives them root through CopyFail.
That changes the risk calculation for every other vulnerability. A "low severity" web application bug that only gives limited access? Chain it with CopyFail and it's root on the server. A "medium severity" container escape? Chain it with CopyFail and it's root on the host.
Privilege escalation bugs are force multipliers. They turn minor access into total compromise.
#What to do.
1. Patch your kernels. Fixed in mainline 6.18.22, 6.19.12, and 7.0. Every major distro has published updates. Apply them.
`
#Check your kernel version
uname -r
#Ubuntu/Debian
sudo apt update && sudo apt upgrade linux-image-$(uname -r)
#RHEL/CentOS/Rocky/Alma
sudo dnf update kernel
`
2. If you can't patch immediately, blacklist the vulnerable module:
`
echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf
sudo modprobe -r algif_aead 2>/dev/null
`
This disables the AEAD socket interface. Most applications don't use it directly. Test in staging first, but this is a safe interim mitigation for the vast majority of workloads.
3. Audit your server inventory. Every Linux server, VM, and container host in your infrastructure needs this patch. Don't forget the ones you set up two years ago and haven't touched since. Those are the ones attackers find first.
4. Enable automatic security updates on servers where appropriate. Ubuntu has unattended-upgrades. RHEL has dnf-automatic. These apply security patches automatically so you don't have to remember. For critical infrastructure, test in staging first. For everything else, automatic security patches are better than no patches.
#Further reading
- NVD: CVE-2026-31431 - vulnerability details
- Unit 42 Analysis - exploitation technical deep dive
- Ubuntu Security Notice - Ubuntu patch details
- CISA KEV Catalog - actively exploited vulnerabilities