Critical Linux Kernel Vulnerability CVE-2023-4911 Allows Root Access
Key Takeaways A critical zero-day vulnerability, dubbed “Copy Fail” (CVE-2026-31431), has been disclosed in the Linux kernel. The flaw allows unprivileged local users to achieve root...
Key Takeaways
- A critical zero-day vulnerability, dubbed “Copy Fail” (CVE-2026-31431), has been disclosed in the Linux kernel.
- The flaw allows unprivileged local users to achieve root access on nearly all major Linux distributions released since 2017.
- The exploit leverages a logic bug in the kernel’s cryptographic template and does not require complex race conditions or recompilation.
- The vulnerability also poses a significant risk for container escapes in Kubernetes environments.
- A patch is available, and administrators are urged to update their kernels immediately or apply temporary mitigations.
Linux Kernel Zero-Day “Copy Fail” Exposes Root Access
A severe zero-day vulnerability impacting the Linux kernel has been publicly disclosed, enabling any unprivileged local user to gain root privileges across virtually every major Linux distribution released since 2017. This critical flaw, tracked as CVE-2026-31431 and named “Copy Fail,” presents a significant security risk to a vast array of Linux-based systems.
Table Of Content
The discovery was made by Theori researcher Taeyang Lee, with the Xint Code Research Team subsequently developing a full exploit chain using AI-assisted analysis. Unlike previous high-profile kernel vulnerabilities such as Dirty Cow (CVE-2016-5195) or Dirty Pipe (CVE-2022-0847), “Copy Fail” is a straight-line logic bug, not a race condition. It is found within the Linux kernel’s authencesn cryptographic template, accessible via the AF_ALG socket interface combined with the splice() system call.
The exploit’s simplicity is particularly concerning; it requires no race-winning conditions, kernel version offsets, recompilation, or custom compiled payloads. A mere 732-byte Python script, utilizing only standard library modules, can deterministically achieve root access on all tested distributions and architectures.
How “Copy Fail” Works
The “Copy Fail” exploit targets the kernel’s page cache, which is the in-memory representation of files. It achieves a controlled 4-byte write into a page cache page belonging to any file readable by the attacker. Crucially, the Linux kernel fails to mark this corrupted page as dirty for writeback, meaning the on-disk version of the file remains untouched. This stealthy modification allows the vulnerability to bypass standard checksum-based file integrity tools, which would otherwise detect the alteration.
Following the in-memory corruption, the attacker executes a modified in-memory version of a setuid binary, such as /usr/bin/su, thereby obtaining a root shell. The vulnerability’s origin traces back to an in-place optimization introduced in 2017 within algif_aead.c (commit 72548b093ee3).
Specifically, when a user splices a file into a pipe and feeds it into an AF_ALG socket, the AEAD input scatterlist holds direct references to the kernel’s physical page cache pages of that file, rather than copies. For AEAD decryption operations, algif_aead.c sets req->src = req->dst, causing both the source and destination to point to the same combined scatterlist. This action inadvertently places page cache pages into a writable destination scatterlist.
The authencesn algorithm, employed by IPsec for 64-bit Extended Sequence Number (ESN) support, then uses the caller’s destination buffer as scratch space. During this process, it rearranges ESN bytes, writing 4 bytes at an offset of assoclen + cryptlen past the declared output boundary, directly into the chained page cache pages. This complex interplay of three independent code changes across 2011, 2015, and 2017 converged to create this exploitable condition, which went unnoticed for nearly a decade.
The same exploit script successfully achieved root shells on several tested platforms, demonstrating its broad impact:
| Distribution | Kernel Version |
|---|---|
| Ubuntu 24.04 LTS | 6.17.0-1007-aws |
| Amazon Linux 2023 | 6.18.8-9.213.amzn2023 |
| RHEL 14.3 | 6.12.0-124.45.1.el10_1 |
| SUSE 16 | 6.12.0-160000.9-default |
The vulnerability was introduced with kernel 4.14 and affects all distributions running an unfixed kernel version.
Kubernetes Container Escape Risk
Beyond local privilege escalation, “Copy Fail” also functions as a potent Kubernetes container escape primitive. Given that the page cache is shared across all processes on a host, including those within container boundaries, a compromised container could exploit this flaw to corrupt setuid binaries visible to other containers and the host kernel. The Xint Code research series delves further into the specifics of achieving full Kubernetes node compromise using this vulnerability.
Patch Released
An official fix for CVE-2026-31431 has been released (commit a664bf3d603d). This patch reverts algif_aead.c to an out-of-place AEAD operation, effectively separating the TX scatterlist (which may contain page cache pages) from the RX scatterlist (the user’s output buffer). This change eliminates the sg_chain() mechanism that previously linked page cache pages into the writable destination, thereby mitigating the vulnerability.
The vulnerability was reported to the Linux kernel security team on March 23, 2026. Patches were committed to the mainline kernel on April 1, 2026, with the CVE assigned on April 22, 2026, and public disclosure occurring on April 29, 2026.
What You Should Do
- Apply Kernel Updates Immediately: System administrators are strongly urged to apply the latest kernel updates provided by their distribution vendors as soon as possible.
- Disable
algif_aeadModule (Temporary Mitigation): If immediate kernel updates are not feasible, disable thealgif_aeadkernel module to eliminate the attack surface. This can be done by executing the following commands:echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf rmmod algif_aead 2>/dev/null - Monitor Systems: Implement robust monitoring for suspicious activity, especially on systems exposed to local users or running containerized workloads.
- Review Container Security: For Kubernetes environments, review and strengthen container security policies and isolation mechanisms.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.