CVE-2026-31431 — the Linux kernel “Copy Fail” local-privilege-escalation
A 732-byte Python script gets root on every Linux kernel between 2017 and the upstream fix in early 2026, by abusing algif_aead AF_ALG + splice(). If a user has a shell on your box, they can become root. Patched in mainline; not yet in every distro's default kernel build.
The fix without a reboot: persistent modprobe blacklist on algif_aead. The vulnerable code path is in the in-kernel crypto socket interface — almost no production workload uses it. Blocking the module loads for any future use cuts the attack surface immediately.
echo -e 'blacklist algif_aead\ninstall algif_aead /bin/false' | sudo tee /etc/modprobe.d/cve-2026-31431-copyfail.conf sudo rmmod algif_aead 2>/dev/null || true
First line installs the blacklist, persisting across reboots. Second line removes the currently-loaded module if present (silently no-ops if not loaded). Verify with lsmod | grep algif_aead — should return nothing.
Ubuntu / Debian will ship the patched linux-image-*-generic via apt. After install, you must reboot to load the new kernel — the running kernel stays vulnerable until then. Schedule for a maintenance window; expect ~30-60 seconds of downtime.
sudo apt-get update sudo apt-get install --only-upgrade -y linux-image-generic linux-headers-generic sudo reboot
Don't want to reboot? The modprobe blacklist above keeps you safe. The kernel upgrade is best-practice cleanup, not strict-required, for hosts where the blacklist is in place.
StackPatch quickscan reads your distro / kernel / installed packages and tells you if CVE-2026-31431 (and any other live USN / DSA CVE) applies right now.
curl https://mindsparkstack.com/scan.sh | bash
Source rendered as text/plain at /scan.sh so you can read before piping. Anonymous, no signup.
Background
The algif_aeadkernel module exposes the in-kernel crypto API as a Linux socket interface. It was added in 2014 and has been part of every major distro's default kernel build. The vulnerability is in the path that handlessplice() from a pipe into an AF_ALG socket: under specific conditions, a buffer is freed while still being referenced, leading to a use-after-free that can be massaged into kernel-mode code execution.
The proof-of-concept is small enough to fit in a 732-byte Python script. It does not require any unusual privilege — a regular shell user is enough. Public exploits exist.
Why the blacklist works: production workloads almost never use AF_ALG. The kernel crypto API is preferred via direct kernel-mode interfaces; AF_ALG is mostly a convenience for userspace tools that want hardware-accelerated crypto without a C extension. Blacklisting the module costs you nothing on a typical SaaS box.
Continuous monitoring (the next CVE will look the same)
Copy Fail isn't the last kernel local-priv-esc you'll need to patch. The next one might drop next week. StackPatch runs the matcher hourly against the live USN + Debian Security Tracker feeds and emails you the exact remediation when something new applies to one of your servers. $99 lifetime, 50 founder seats.