Powered by

P013C

CVE-2026-31431

Description

CVE-2026-31431, also known as Copy Fail, is a local privilege escalation vulnerability in the Linux kernel's algif_aead crypto subsystem. A logic flaw in authencesn, combined with the AF_ALG socket family and the splice() system call, allows an unprivileged local user to perform a 4-byte page-cache write that leads to full root access. The exploit is reliable, requires no race conditions or kernel-specific offsets, and affects every Linux kernel built since 2017. It carries a CVSS v3.1 score of 7.8 (HIGH) and was added to the CISA KEV catalog on May 1, 2026.

Impact

There is no downtime expected from this change. The algif_aead kernel module is unloaded on all nodes and blacklisted so it cannot be reloaded. A filesystem cache flush is performed afterward to ensure clean state.

Changes

  • Places a boot hook (00-copy-fail-mitigation) on the shared storage at /mnt/jrc-comms/hooks/boot.d/ so the mitigation is applied automatically on every instance boot, even after AMI replacements.
  • The hook blacklists the algif_aead module via /etc/modprobe.d/p013c-disable-algif_aead.conf and unloads it if currently loaded.
  • Runs the hook immediately on all nodes so the mitigation takes effect without waiting for a reboot.
  • Flushes filesystem caches on all nodes after the mitigation is applied.

If You Accept

The algif_aead kernel module will be unloaded and blacklisted across all instances, closing this attack vector. The boot hook ensures the mitigation persists across reboots and new instances. Once a patched kernel is rolled out, the hook is harmless to leave in place.

If You Reject

The algif_aead module will remain loaded, leaving your instances vulnerable to local privilege escalation by any unprivileged user with shell access.

© Copyright 2026. All rights reserved.