/Vulnerability Library

Copy Fail - Linux Kernel Local Privilege Escalation via AF_ALG

CVE-2026-31431
Verified

Description

In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.

Severity

High

CVSS Score

7.8

Exploit Probability

96%

Affected Product

linux_kernel

Published Date

June 17, 2026

Template Author

ritikchaddha

CVE-2026-31431.yaml
id: CVE-2026-31431

info:
  name: Copy Fail - Linux Kernel Local Privilege Escalation via AF_ALG
  author: ritikchaddha
  severity: high
  description: |
    In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.
  impact: |
    A local attacker can escalate from any unprivileged user to root. The exploit:
  remediation: |
    Update the Linux kernel to a patched version. Upstream: 6.18.22+, 6.19.12+, 7.0+, LTS backports: 6.14.5+, 6.13.13+, 6.12.25+, 6.6.87+, 6.1.137+. If immediate patching is not possible, disable or blacklist the algif_aead kernel module
  reference:
    - https://discourse.ubuntu.com/t/fixes-available-for-cve-2026-31431-copy-fail-linux-kernel-local-privilege-escalation-vulnerability/81498
    - https://cert.europa.eu/publications/security-advisories/2026-005
    - https://xint.io/blog/copy-fail-linux-distributions
    - https://nvd.nist.gov/vuln/detail/CVE-2026-31431
  classification:
    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.8
    cve-id: CVE-2026-31431
    epss-score: 0.96267
    epss-percentile: 0.9987
    cwe-id: CWE-787
    cpe: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: linux
    product: linux_kernel
  tags: cve,cve2026,code,kernel,linux,privesc,local,lpe,kev,vkev,vuln

self-contained: true

flow: code(1) && code(2) && code(3)

code:
  - engine:
      - sh
      - bash
    source: |
      whoami

    matchers:
      - type: word
        part: response
        words:
          - "root"
        negative: true
        internal: true

  - engine:
      - sh
      - bash
    source: |
      uname -r

    extractors:
      - type: regex
        name: kernel_version
        part: response
        regex:
          - '^[0-9]+\.[0-9]+\.[0-9]+'
        internal: true

  - engine:
      - sh
      - bash
    source: |
      KVER=$(uname -r)
      MAJOR=$(echo "$KVER" | cut -d. -f1)
      MINOR=$(echo "$KVER" | cut -d. -f2)
      PATCH=$(echo "$KVER" | cut -d. -f3 | cut -d- -f1)
      VULNERABLE=0

      # Check if algif_aead module is loaded or built-in (required attack surface)
      AEAD_PRESENT=0
      if lsmod 2>/dev/null | grep -q "algif_aead"; then
        AEAD_PRESENT=1
      elif [ -f /proc/modules ] && grep -q "algif_aead" /proc/modules 2>/dev/null; then
        AEAD_PRESENT=1
      elif [ -f "/lib/modules/$KVER/kernel/crypto/algif_aead.ko" ] || \
           [ -f "/lib/modules/$KVER/kernel/crypto/algif_aead.ko.zst" ] || \
           [ -f "/lib/modules/$KVER/kernel/crypto/algif_aead.ko.xz" ]; then
        AEAD_PRESENT=1
      elif [ -f "/boot/config-$KVER" ] && grep -q "Cy" "/boot/config-$KVER" 2>/dev/null; then
        AEAD_PRESENT=1
      elif [ -f /proc/config.gz ] && zcat /proc/config.gz 2>/dev/null | grep -q "Cy"; then
        AEAD_PRESENT=1
      fi

      # Introduced in ~4.14 (commit 72548b093ee3). Patched upstream: 6.18.22, 6.19.12, 7.0+
      # LTS backports: 6.14.5, 6.13.13, 6.12.25, 6.6.87, 6.1.137
      if [ "$MAJOR" -eq 4 ] && [ "$MINOR" -ge 14 ]; then
        VULNERABLE=1
      elif [ "$MAJOR" -eq 5 ]; then
        VULNERABLE=1
      elif [ "$MAJOR" -eq 6 ]; then
        if [ "$MINOR" -le 0 ]; then VULNERABLE=1
        elif [ "$MINOR" -eq 1 ] && [ "$PATCH" -le 136 ]; then VULNERABLE=1
        elif [ "$MINOR" -ge 2 ] && [ "$MINOR" -le 5 ]; then VULNERABLE=1
        elif [ "$MINOR" -eq 6 ] && [ "$PATCH" -le 86 ]; then VULNERABLE=1
        elif [ "$MINOR" -ge 7 ] && [ "$MINOR" -le 11 ]; then VULNERABLE=1
        elif [ "$MINOR" -eq 12 ] && [ "$PATCH" -le 24 ]; then VULNERABLE=1
        elif [ "$MINOR" -eq 13 ] && [ "$PATCH" -le 12 ]; then VULNERABLE=1
        elif [ "$MINOR" -eq 14 ] && [ "$PATCH" -le 4 ]; then VULNERABLE=1
        elif [ "$MINOR" -ge 15 ] && [ "$MINOR" -le 17 ]; then VULNERABLE=1
        elif [ "$MINOR" -eq 18 ] && [ "$PATCH" -le 21 ]; then VULNERABLE=1
        elif [ "$MINOR" -eq 19 ] && [ "$PATCH" -le 11 ]; then VULNERABLE=1
        fi
      fi

      if [ "$VULNERABLE" -eq 1 ]; then
        if [ "$AEAD_PRESENT" -eq 1 ]; then
          echo "VULNERABLE: kernel $KVER - algif_aead module present, version in affected range"
        else
          echo "VULNERABLE: kernel $KVER - version in affected range (algif_aead module status unknown, may be loadable)"
        fi
      else
        echo "NOT_VULNERABLE: kernel $KVER"
      fi

    matchers-condition: and
    matchers:
      - type: word
        part: response
        words:
          - "VULNERABLE:"

      - type: word
        part: response
        words:
          - "NOT_VULNERABLE"
        negative: true

    extractors:
      - type: regex
        name: detection_detail
        part: response
        regex:
          - 'VULNERABLE:.*'
# digest: 4a0a00473045022100e058f2d5f55fad7a3fb789ff8f71e2fd5aa4ca8c22c1322f282bf8b2e00f6bf202204f95658677e444614a29df15e5f9a0d0d33bd6a0be8bcdc67189762700ed4455:922c64590222798bb761d5b6d8e72950
7.8Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2026-31431
CWE ID:
cwe-787

References

https://discourse.ubuntu.com/t/fixes-available-for-cve-2026-31431-copy-fail-linux-kernel-local-privilege-escalation-vulnerability/81498https://cert.europa.eu/publications/security-advisories/2026-005https://xint.io/blog/copy-fail-linux-distributionshttps://nvd.nist.gov/vuln/detail/CVE-2026-31431

Remediation Steps

Update the Linux kernel to a patched version. Upstream: 6.18.22+, 6.19.12+, 7.0+, LTS backports: 6.14.5+, 6.13.13+, 6.12.25+, 6.6.87+, 6.1.137+. If immediate patching is not possible, disable or blacklist the algif_aead kernel module