It took nine years for anyone to notice. Last week, a researcher ran a single Python script – smaller than most tweets and walked away with a root shell on Ubuntu, RHEL, Amazon Linux, and SUSE. Every time. No luck required.
CVE-2026-31431 aptly nicknamed “Copy Fail” is not your typical kernel bug. There’s no timing window to hit, no kernel version to fingerproof, no compiled payload to stage. It’s a straight-line logic flaw buried at the intersection of three innocent kernel changes made between 2011 and 2017. Run it once. Get root.
It works by feeding a readable file’s own kernel page-cache pages directly into the crypto subsystem through an AF_ALG socket and a splice() call, then exploiting a scratch-pad write in the authencesn cipher to overwrite the target setuid binary in memory. The HMAC fails. The error returns. The write already happened.
And because the Linux page cache is shared across container boundaries, a compromised pod can use this to escape to the host node. Microsoft Defender is already seeing threat actor testing. This one matters.
Here’s what the full member post covers, step by step:
- The exact three kernel commits from 2011–2017 that combined to create this primitive and why no one caught it
- Full annotated breakdown of the 732-byte Python PoC – every syscall explained line by line
- Ready-to-paste Falco rule, auditd config, and Python scanner to detect exploitation attempts right now
- The container escape path – how a Kubernetes pod becomes a host compromise
- Exact patch commands for Ubuntu, RHEL, AlmaLinux, SUSE, Arch, Amazon Linux – copy and run
- The safe one-line mitigation if you can’t reboot right now – and what it does and doesn’t protect
- Side-by-side comparison with Dirty Cow and Dirty Pipe – why Copy Fail is the most dangerous of the three
The root cause sits inside algif_aead.c where the in-place optimization introduced in commit 72548b093ee3 causes the sg_init_table to point both the source and destination scatterlists at the same page-cache folio. When authencesn performs its internal scratch write during AEAD decryption, it lands 4 bytes past the output buffer end – which is now a live shared kernel page. The attacker controls those 4 bytes by crafting the associated data length field in the AEAD control message. Repeated 4 bytes at a time across the binary’s .text section, this overwrites the entry point with architecture-specific shellcode that calls setresuid(0,0,0) before execve of a shell. The full annotated Python exploit, the Falco detection rule, the auditd config, and exact patch commands for every major distribution are all inside the full post…
The rest of this post is for members.
Join to unlock the full technical breakdown.
Unlock the full CVE-2026-31431 deep dive
Get the complete technical breakdown, annotated PoC walkthrough, detection rules, and patch guide. New zero-day analysis like this drops every week – exclusively for members.
Join the membership – from $5/mo- Full post access instantly
- Weekly zero-day breakdowns
- Ready-to-use detection rules
- Cancel anytime
Already a member? Sign in to read the full post
