Follow ZDNET: Add us as a favorite resource on Google.
ZDNET’s key takeaways
- Copy Fail is a Linux vulnerability.
- This flaw makes gaining root access easy for attackers.
- Copy Failure affects millions of Linux systems.
CVE-2026-31431, also known as Copy Fail, is a critical Linux kernel vulnerability that has been lurking since 2017 and is now getting the security spotlight it deserves.
Also: This simple Linux tweak fixes crashes automatically – and it costs me nothing
Oftentimes, Linux vulnerabilities can be a bit extreme, but not in this case. Copy Fail is a serious business and should be considered as an issue to be mitigated.
What is Copy Failure?
Let’s talk about Copy Fail in terms that anyone can understand.
Think of your computer’s memory as a blackboard, where the teacher tracks your grades in real time. You don’t allow students to use chalk or erasers, so they can’t change their marks. The “Copy Fail” vulnerability is like a cheating student who somehow gains access to an eraser and chalk, and suddenly changes his grade while you’re not looking.
Basically, Copy Failure is an error in the Linux system that is responsible for managing the security of certain types of data. The flaw allows an attacker, with only basic access to the system, to modify a significant portion of the data present in the computer’s RAM. Once the change is made, the modified data can trick the system into thinking that the attacker is the root user, giving the attacker full control of the system.
Also: 6 reasons why a minimal Linux installation is the smartest move you make
Consider this: A janitor takes a name plate from the manager’s office and slaps it on the wall near his closet so everyone thinks he’s the manager.
That’s Copy Failure.
The difference between Copy Fail and other vulnerabilities that have plagued Linux is that this one does not require a specific time or sequence of events to occur. It’s too easy, and its consequences can be dangerous.
More details
For those who want more details about Copy Failure: It abuses the AF_ALG socket interface and the splice() system call to overwrite just 4 bytes in the kernel page cache in any readable file. Once this happens, attackers can then modify the setuid binary, similar to the su command, in memory to gain root access.
Copy Failure differs from “race condition” actions because it is a stable, linear vulnerability that does not require time-dependent retries to raise permissions.
Also: 8 basic Linux commands every new user should learn
Copy Failure affects all Linux kernels from 4.14 to 6.19.12. You read that right: letters from 2017 to now.
According to the Xint Code Research Team, “This discovery was aided by AI, but it started with an insight from Theory researcher Taeyang Lee, who was studying how the Linux crypto subsystem interacts with cache page-based data. He used Xint Code to measure his research across the entire crypto subsystem, and Copy Fail is the most important finding in the report.”
How to Avoid Copy Failure
The easiest way to reduce the vulnerability of Copy Fail Linux is to update your kernel to the latest version. To find out if your kernel is patched against Copy Fail, issue the following command:
dpkg -l kmod grep -qE ‘^algif_aead’ /proc/modules && echo “Affected module loaded” || echo “The affected module is NOT loaded”
If your kernel is patched, you will see “The affected module is NOT loaded.” If your kernel is not patched, you will see “The affected module is loaded.” If you run into the latter, make sure to update your system and rerun the command. If, after the update, your system has not been shut down, you can disable the algif_aead module with the command:
enter algif_aead /bin/false”> /etc/modprobe.d/disable-algif.conf
Also: You can run Linux 7.0 on these 7 distros today – here’s what to expect
You can then load the module with:
rmmod algif_aead
Now you know enough about Copy Failure to stay protected.
