Anatomy of An attack

Introduction

Disclosed on April 29, 2026, by Xint Code researchers, CVE-2026-31431, aka Copy Fail, is a critical local privilege escalation vulnerability within the Linux Kernel. This logic flaw resides at the intersection of the kernel’s memory management and cryptographic subsystems. Crucially, almost all Linux distributions using kernel versions released between 2017 and early 2026 are vulnerable. The root cause stems from a 2017 performance optimization to the kernel’s Authenticated Encryption with Associated Data (AEAD) API. Specifically, the vulnerability is within the algif_aead, a userspace interface for the Linux kernel’s cryptography that handles these specific algorithms.

The mechanics of the exploit rely on a specific combination of system functions to manipulate kernel memory. An attacker initiates the exploit by selecting and opening file descriptor of a privileged command. They open a AF_ALG socket in read-only (a socket type that acts as a gateway to the kernel’s crypto API from userspace) and sends a payload in chunks using MSG_MORE flag, telling the kernel to expect more data, through the socket to the file descriptor using the splice() system call.

When a user splices a highly privileged, read-only system file into this socket, the kernel, prioritizing efficiency, passes references to the file's in-memory page cache rather than copying the data. Because the 2017 optimization allows the kernel to reuse the same memory space for both source data and destination output, the read-only memory pages temporarily become writable. This oversight allows an unprivileged local attacker to trigger a deterministic, controlled 4-byte write directly into the page cache of the targeted file. By overwriting specific memory pages associated with system binaries or authentication files, the attacker modifies the application's in-memory behavior without ever altering the physical file on the disk, smoothly bypassing standard disk-based file integrity monitoring systems.

While Copy Fail does not provide an initial remote entry point, its primary danger lies in the ability to transform a limited local foothold into full root-level administrative access. An attacker only needs basic, unprivileged access, which could be obtained through a compromised low-level service account, a malicious continuous integration runner job, or execution within a shared container. The exploit's execution is remarkably efficient, often requiring only a single, lightweight Python script. Furthermore, unlike historical kernel vulnerabilities that depend on precise timing or race conditions, Copy Fail is highly deterministic and reliably succeeds on virtually every execution.

From a risk management and threat intelligence perspective, the implications for cloud and containerized environments are severe. Because the Linux kernel manages a global page cache shared with the host system, the Copy Fail exploit inherently functions as a container escape primitive. An attacker who compromises a single container can corrupt the shared page cache, effectively breaking out of the container boundary to compromise the entire underlying Kubernetes (K8s) node. This escalation serves as the foundation for broader network compromise, enabling adversaries to harvest high-value credentials, such as K8s service account tokens or cloud metadata. Using these stolen identities, threat actors can move laterally across the cloud environment to access sensitive backend systems, ultimately achieving objectives like massive data exfiltration or financial extortion.

Active exploitation of Copy Fail in the wild has been confirmed by intelligence reporting and CISA, as of May 01, 2026. Given the low barrier to entry and the widespread availability of highly reliable proof-of-concept exploits, immediate remediation is imperative.

Key Components

Copy Fail combines a normal local user, a Linux crypto interface, and a “no-copy” file-transfer feature to trick the kernel into writing 4 attacker-chosen bytes into the in-memory copy of a protected file. The key components briefly described are:

• AF_ALG gives the attacker access to kernel crypto.
• algif_aead is the AEAD socket code.
• splice() lets file data enter that path as references to page-cache memory.
• authencesn wrongly writes 4 bytes past its proper output area.

Together, these pieces let a normal user write controlled bytes into the cached copy of a readable file. If that file is a setuid-root binary, running it can give root privileges, even when started by a normal user.

The Attack: CVE-2026-31431 “Copy Fail” Phases

Exploitation of the CVE-2026-31431 vulnerability requires unprivileged user access, which can be obtained using various initial access methods. Once initial access is obtained, the attacker can use Copy Fail to escalate privileges. This process can be described by four distinct phases:

Phase 1: Socket Setup

The attacker opens an AF_ALG socket and specifies the authencesn(hmac(sha256),cbc(aes)) cryptographic algorithm. The inherent kernel design leads to the kernel automatically engaging with the algif_aead module. The AF_ALG interface is accessible to unprivileged users by default, requiring no elevated permissions.

Phase 2: Constructing the Payload

The attacker prepares a shellcode payload to be injected into a target binary like /usr/bin/su. For each 4-byte segment of the shellcode, the attacker uses sendmsg() to provide "Additional Authenticated Data" (AAD). Crucially, bytes 4–7 of the AAD contain the 4 bytes the attacker wishes to write into the target page.

Phase 3: Memory Corruption via “Copy Fail”

The attacker uses the splice() system call to map the page cache of the setuid binary (e.g., /usr/bin/su) into the crypto socket. When the attacker calls recvmsg() to trigger the decryption process, the kernel incorrectly fails to create a private copy of the data when it is modified in place. This allows the attacker to corrupt the kernel page cache [T1565.001], which is the shared memory of the system for frequently accessed files.

Phase 4: Privilege Escalation, Secrets Theft, and Container Escape

In the final phase, the attacker targets sensitive system files that are already loaded into the page cache, such as /user/bin/su or /etc/passwd. By overwriting the cached version of these files in memory, the attacker can change the file’s logic without modifying the actual file on the physical disk, such as bypassing password checks to become the root user. When a legitimate process later calls these modified memory pages, the attacker is granted full administrative root access [T1068].

The vulnerability also allows for container escape in some situations. By repeating this process, the attacker replaces a small portion of the target binary's code with a jump to their shellcode. When any process executes the corrupted binary, the shellcode runs with the binary's original privileges (UID 0). In containerized environments, the host kernel manages a single global page cache. Thus, an attacker in an unprivileged container can corrupt a binary shared with the host or other containers, effectively escaping the container boundary.

In order for the exploit to work, they must know the page caching layers used, as the layers must be the same between the exploit and the targeted K8s container. Therefore, an attacker leveraging Copy Fail to exploit K8s would likely be an insider threat or have another exploit that would land them on a pod, then use this as a pod-to-node escape. To work, the attacker would have to use a privileged command that shared the same backing page cache as another privileged command that was later called. This attack, if successful, would give an attacker access to the node the pod was running on and potentially access to the cluster, exposing pod secrets, service account tokens, container filesystems, access to the Kublet API, and node IAM role. Ultimately, while vulnerable, a K8s attack is non-trivial.

The Adversary’s Copy Fail Playbook: MITRE ATT&CK TTPs

Detecting Attackers Post-Compromise

While post-compromise techniques following the Copy Fail exploit, an attacker’s behaviors are likely no longer Copy Fail specific. After gaining root, attackers typically move into a post-compromise behavior pattern, focusing on identity theft and lateral movement. This includes enumerating users, processes, containers, mounted secrets, credential harvesting and more.

Upon obtaining access to a Kubernetes (K8s) cluster, an adversary typically begins a series of post-exploitation activities. These likely include enumerating namespaces and containers, auditing mounted service account tokens, and investigating the associated RBAC permissions. Furthermore, attackers may extract secrets from configuration files or environment variables, interact with the K8s API server, initiate new workloads, and attempt to reach cloud metadata services.

ExtraHop RevealX™ can provide real-time network monitoring that reveals what’s happening

in the dynamic Kubernetes (K8s) infrastructure. An attacker’s behavior patterns can be identified including: anomalous behavior in east-west traffic, detecting when containers communicate with unexpected destinations, correlating K8s metadata (namespace, pod, replica set) with network behavior automatically and correlating K8s behavior with identity data to detect a container making a call using a hijacked credential.

An attacker’s post-compromise behaviors can be detected by the following (this is not an all-inclusive list):

Post-Compromise MITRE ATT&CK Mappings

ExtraHop NDR Detection and Capabilities

Modern NDR Platform Value

The complexity of modern security infrastructure often makes it difficult to discern network activity. This can make the identification of threats highly challenging without the right insights and context. ExtraHop RevealX provides a modern approach to network detection and response (NDR) by centralizing network visibility into a single, integrated platform that exposes hidden risks. Unlike traditional tools that rely on logs or endpoint agents that adversaries can bypass or disable, RevealX monitors the network as an immutable source of truth. This agentless approach ensures continuous monitoring of activity across the entire attack surface, including on-premises and cloud workloads where endpoint detection and response (EDR) cannot be installed.

By turning raw network traffic into actionable intelligence, RevealX enables security teams to detect threats up to 83% faster and resolve them 87% more efficiently. The platform utilizes cloud-scale artificial intelligence to analyze behavioral patterns. This allows it to differentiate between legitimate administrative actions and malicious misuse. This depth of insight is critical for understanding the scope of a compromise, identifying which sensitive data was accessed, and determining where an attacker went within the network.

Detecting Copy Fail

ExtraHop RevealX is well equipped to identify the post-exploitation network-based signals of a “Copy Fail” attack by utilizing line-rate decryption and protocol decoding. Because 67% of malicious traffic is now encrypted, many security tools are blind to the payloads that carry exploits. RevealX addresses this gap by decrypting over 90+ protocols at wire speed, unmasking hidden movements and malicious commands that would otherwise resemble routine encrypted sessions. This capability is essential for uncovering the exploitation of core network protocols that attackers repurpose to blend in with legitimate operations.

In the context of CVE-2026-31431, RevealX provides visibility into the critical staging phases of the attack. By decoding protocols like SMB, RPC, and HTTP, the platform can detect the unusual data transfers and administrative commands associated with local privilege escalation and lateral movement. This protocol level fluency allows security analysts to see the substance of a session, revealing when an attacker is manipulating protocol behavior to tunnel malicious activity or move stolen credentials across the network.

Securing the Agentic Enterprise

By utilizing cloud-scale machine learning, RevealX identifies the subtle, anomalous patterns indicative of a “Copy Fail” exploit, differentiating between legitimate administrative behavior and unauthorized privilege escalation. ExtraHop gives security and IT operations teams real-time, behavioral context across the enterprise, from legacy systems to cloud and AI environments, from privileged identities to critical systems.

Conclusions and Recommendations

Technical Takeaways

• Persistent Logic Flaw: CVE-2026-31431 is a deterministic logic error within the algif_aead interface, not a timing-based race condition, making exploitation highly reliable.
• Memory-Only Compromise: The "Copy Fail" technique allows attackers to modify the behavior of critical system binaries like /usr/bin/su directly in the kernel page cache without altering the files on physical disk.
• Broad Enterprise Impact: The vulnerability affects nearly all major Linux distributions utilizing kernel versions released since 2017 that have not applied the specific patch for the cryptographic subsystem.
• NDR Necessity: Because the exploit occurs in memory and uses legitimate system calls, network-level visibility is critical to identify the staging and lateral movement phases that endpoint-based tools may miss.

Recommended Response

• Immediate Kernel Patching: Organizations should prioritize updating Linux kernels to version 6.14.2 or the equivalent backported security release provided by their distribution vendor.
• Module Blacklisting: As an interim containment measure, administrators should disable the algif_aead kernel module on non-essential systems to remove the primary attack vector.
• Implement Seccomp Filtering: Use seccomp profiles to restrict unprivileged processes from calling AF_ALG sockets or the  splice() system call in high-risk environments like container runtimes.
• Deploy Line-Rate Decryption: Ensure that NDR capabilities are configured for line-rate decryption of internal traffic to expose the protocol-level manipulation used during post-exploitation lateral movement.
• Infrastructure Hardening: Transition toward a Zero Trust architecture that assumes local compromise and utilizes AI-driven behavioral analysis to detect anomalous privilege escalation in real time.

Additional Resources

• SOC Prime: https://socprime.com/active-threats/cve-2026-31431-copy-fail-linux-root-escalation/
• Security Week: https://www.securityweek.com/copy-fail-logic-flaw-in-linux-kernel-enables-system-takeover/
• Copy Fail: https://copy.fail/
• SYSDIG: https://www.sysdig.com/blog/cve-2026-31431-copy-fail-linux-kernel-flaw-lets-local-users-gain-root-in-seconds 
• NIST National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2026-31431
• The Record: https://therecord.media/linux-vulnerability-copy-fail-patch
• HackRead: https://hackread.com/linux-kernel-vulnerability-copy-fail-full-root-access/ 
• Xint: https://xint.io/blog/copy-fail-linux-distributions 
• Dark Reading: https://www.darkreading.com/vulnerabilities-threats/ai-assisted-software-scan-linux-bug 
• CERT-EU: https://cert.europa.eu/publications/security-advisories/2026-005/ 
• Palo Alto Unit 42: https://unit42.paloaltonetworks.com/modern-kubernetes-threats/ 
• Red Canary: https://redcanary.com/threat-detection-report/techniques/steal-application-access-token/ 
• Wiz: https://www.wiz.io/blog/copyfail-cve-2026-31431-linux-privilege-escalation-vulnerability
• CISA: https://www.cisa.gov/news-events/alerts/2026/05/01/cisa-adds-one-known-exploited-vulnerability-catalog 
• ExtraHop: https://www.extrahop.com/blog/new-in-revealx-detect-more-investigate-faster-with-capabilities-for-identity-kubernetes-and-threat-hunting 
• Talos: https://blog.talosintelligence.com/the-3-most-common-post-compromise-tactics-on-network-infrastructure/ 
• Crowdstrike: https://www.crowdstrike.com/en-us/press-releases/2026-crowdstrike-global-threat-report/