Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Cisco Catalyst Center Vulnerability Allows Remote Attackers to Read Arbitrary Files
July 2, 2026
Mapbox Flaw Lets Hackers Target Vulnerability Researchers with Python RAT
July 2, 2026
FCC Bans Chinese Telecom Equipment From Huawei, ZTE, Others Over Security Risks
July 2, 2026
Home/CyberSecurity News/Critical Linux Kernel Vulnerability CVE-2023-4911 Allows Root Access
CyberSecurity News

Critical Linux Kernel Vulnerability CVE-2023-4911 Allows Root Access

Key Takeaways A critical zero-day vulnerability, dubbed “Copy Fail” (CVE-2026-31431), has been disclosed in the Linux kernel. The flaw allows unprivileged local users to achieve root...

David kimber
David kimber
April 30, 2026 4 Min Read
44 0

Key Takeaways

  • A critical zero-day vulnerability, dubbed “Copy Fail” (CVE-2026-31431), has been disclosed in the Linux kernel.
  • The flaw allows unprivileged local users to achieve root access on nearly all major Linux distributions released since 2017.
  • The exploit leverages a logic bug in the kernel’s cryptographic template and does not require complex race conditions or recompilation.
  • The vulnerability also poses a significant risk for container escapes in Kubernetes environments.
  • A patch is available, and administrators are urged to update their kernels immediately or apply temporary mitigations.

Linux Kernel Zero-Day “Copy Fail” Exposes Root Access

A severe zero-day vulnerability impacting the Linux kernel has been publicly disclosed, enabling any unprivileged local user to gain root privileges across virtually every major Linux distribution released since 2017. This critical flaw, tracked as CVE-2026-31431 and named “Copy Fail,” presents a significant security risk to a vast array of Linux-based systems.

Table Of Content

  • Key Takeaways
  • Linux Kernel Zero-Day “Copy Fail” Exposes Root Access
  • How “Copy Fail” Works
  • Kubernetes Container Escape Risk
  • Patch Released
  • What You Should Do

The discovery was made by Theori researcher Taeyang Lee, with the Xint Code Research Team subsequently developing a full exploit chain using AI-assisted analysis. Unlike previous high-profile kernel vulnerabilities such as Dirty Cow (CVE-2016-5195) or Dirty Pipe (CVE-2022-0847), “Copy Fail” is a straight-line logic bug, not a race condition. It is found within the Linux kernel’s authencesn cryptographic template, accessible via the AF_ALG socket interface combined with the splice() system call.

The exploit’s simplicity is particularly concerning; it requires no race-winning conditions, kernel version offsets, recompilation, or custom compiled payloads. A mere 732-byte Python script, utilizing only standard library modules, can deterministically achieve root access on all tested distributions and architectures.

How “Copy Fail” Works

The “Copy Fail” exploit targets the kernel’s page cache, which is the in-memory representation of files. It achieves a controlled 4-byte write into a page cache page belonging to any file readable by the attacker. Crucially, the Linux kernel fails to mark this corrupted page as dirty for writeback, meaning the on-disk version of the file remains untouched. This stealthy modification allows the vulnerability to bypass standard checksum-based file integrity tools, which would otherwise detect the alteration.

Following the in-memory corruption, the attacker executes a modified in-memory version of a setuid binary, such as /usr/bin/su, thereby obtaining a root shell. The vulnerability’s origin traces back to an in-place optimization introduced in 2017 within algif_aead.c (commit 72548b093ee3).

Specifically, when a user splices a file into a pipe and feeds it into an AF_ALG socket, the AEAD input scatterlist holds direct references to the kernel’s physical page cache pages of that file, rather than copies. For AEAD decryption operations, algif_aead.c sets req->src = req->dst, causing both the source and destination to point to the same combined scatterlist. This action inadvertently places page cache pages into a writable destination scatterlist.

The authencesn algorithm, employed by IPsec for 64-bit Extended Sequence Number (ESN) support, then uses the caller’s destination buffer as scratch space. During this process, it rearranges ESN bytes, writing 4 bytes at an offset of assoclen + cryptlen past the declared output boundary, directly into the chained page cache pages. This complex interplay of three independent code changes across 2011, 2015, and 2017 converged to create this exploitable condition, which went unnoticed for nearly a decade.

The same exploit script successfully achieved root shells on several tested platforms, demonstrating its broad impact:

Distribution Kernel Version
Ubuntu 24.04 LTS 6.17.0-1007-aws
Amazon Linux 2023 6.18.8-9.213.amzn2023
RHEL 14.3 6.12.0-124.45.1.el10_1
SUSE 16 6.12.0-160000.9-default

The vulnerability was introduced with kernel 4.14 and affects all distributions running an unfixed kernel version.

Kubernetes Container Escape Risk

Beyond local privilege escalation, “Copy Fail” also functions as a potent Kubernetes container escape primitive. Given that the page cache is shared across all processes on a host, including those within container boundaries, a compromised container could exploit this flaw to corrupt setuid binaries visible to other containers and the host kernel. The Xint Code research series delves further into the specifics of achieving full Kubernetes node compromise using this vulnerability.

Patch Released

An official fix for CVE-2026-31431 has been released (commit a664bf3d603d). This patch reverts algif_aead.c to an out-of-place AEAD operation, effectively separating the TX scatterlist (which may contain page cache pages) from the RX scatterlist (the user’s output buffer). This change eliminates the sg_chain() mechanism that previously linked page cache pages into the writable destination, thereby mitigating the vulnerability.

The vulnerability was reported to the Linux kernel security team on March 23, 2026. Patches were committed to the mainline kernel on April 1, 2026, with the CVE assigned on April 22, 2026, and public disclosure occurring on April 29, 2026.

What You Should Do

  • Apply Kernel Updates Immediately: System administrators are strongly urged to apply the latest kernel updates provided by their distribution vendors as soon as possible.
  • Disable algif_aead Module (Temporary Mitigation): If immediate kernel updates are not feasible, disable the algif_aead kernel module to eliminate the attack surface. This can be done by executing the following commands:
    echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf
    rmmod algif_aead 2>/dev/null
  • Monitor Systems: Implement robust monitoring for suspicious activity, especially on systems exposed to local users or running containerized workloads.
  • Review Container Security: For Kubernetes environments, review and strengthen container security policies and isolation mechanisms.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityVulnerabilityzero-day

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Critical SAP npm Package Vulnerabilities Expose Developer and CI/CD Secrets

Next Post

Critical Cursor AI Extension Bug Exposes Developer Tokens

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
CISA Warns of Microsoft SharePoint Server Code Execution Vulnerability Exploited in Attacks
July 2, 2026
Chrome API Flaw Exposes Android Photos to Ransomware
July 2, 2026
WinRAR 7.23 Patches Critical Heap Overflow Vulnerability CVE-2024-XXXX
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us