CVE-2026-31431
Confirmed PUBLISHEDcrypto: algif_aead - Revert to operating out-of-place
1 day faster than CISA KEV
Recommended Action
Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
At a Glance
In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.
- CVE Published
- Apr 22, 2026
- Exploitation Reported
- Jun 01, 2026
- CVSS
- 7.8 High
- EPSS
- 96.8%
Affected Versions
72 version rows · page 1 of 3
| Vendor | Product | Version | Status |
|---|---|---|---|
| Red Hat |
NVIDIA for RHEL 10
|
0:6.12.0-211.6.el10nv to < * |
Unaffected |
| Red Hat |
NVIDIA for RHEL 10
|
0:6.12.0-231.12.el10nv to < * |
Unaffected |
| Red Hat |
Red Hat Enterprise Linux 10
|
0:6.12.0-124.55.1.el10_1 to < * |
Unaffected |
| Red Hat |
Red Hat Enterprise Linux 10
|
0:6.12.0-211.7.3.el10_2 to < * |
Unaffected |
| Red Hat |
Red Hat Enterprise Linux 10.0 Extended Update Support
|
0:6.12.0-55.71.1.el10_0 to < * |
Unaffected |
| Red Hat |
Red Hat Enterprise Linux 8
|
0:4.18.0-553.123.1.rt7.464.el8_10 to < * |
Unaffected |
| Red Hat |
Red Hat Enterprise Linux 8
|
0:4.18.0-553.123.1.el8_10 to < * |
Unaffected |
| Red Hat |
Red Hat Enterprise Linux 8
|
All versions (default: unaffected) |
Unaffected |
| Red Hat |
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
|
0:4.18.0-305.190.1.el8_4 to < * |
Unaffected |
| Red Hat |
Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On
|
0:4.18.0-305.190.1.el8_4 to < * |
Unaffected |
| Red Hat |
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
|
0:4.18.0-372.191.1.el8_6 to < * |
Unaffected |
| Red Hat |
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
|
0:4.18.0-372.191.1.el8_6 to < * |
Unaffected |
| Red Hat |
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
|
0:4.18.0-372.191.1.el8_6 to < * |
Unaffected |
| Red Hat |
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
|
All versions (default: unaffected) |
Unaffected |
| Red Hat |
Red Hat Enterprise Linux 8.8 Telecommunications Update Service
|
0:4.18.0-477.139.1.el8_8 to < * |
Unaffected |
| Red Hat |
Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
|
0:4.18.0-477.139.1.el8_8 to < * |
Unaffected |
| Red Hat |
Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
|
All versions (default: unaffected) |
Unaffected |
| Red Hat |
Red Hat Enterprise Linux 9
|
0:5.14.0-611.54.1.el9_7 to < * |
Unaffected |
| Red Hat |
Red Hat Enterprise Linux 9
|
0:5.14.0-687.5.3.el9_8 to < * |
Unaffected |
| Red Hat |
Red Hat Enterprise Linux 9
|
All versions (default: unaffected) |
Unaffected |
| Red Hat |
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
|
0:5.14.0-70.178.1.el9_0 to < * |
Unaffected |
| Red Hat |
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
|
0:5.14.0-70.178.1.rt21.250.el9_0 to < * |
Unaffected |
| Red Hat |
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
|
All versions (default: unaffected) |
Unaffected |
| Red Hat |
Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions
|
0:5.14.0-284.169.1.el9_2 to < * |
Unaffected |
| Red Hat |
Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions
|
0:5.14.0-284.169.1.rt14.454.el9_2 to < * |
Unaffected |
CVE References
- git.kernel.org/stable/c/893d22e0135fa394db81df88697fba60327... git.kernel.org · CVE Record https://git.kernel.org/stable/c/893d22e0135fa394db81df88697fba6032747667
- git.kernel.org/stable/c/19d43105a97be0810edbda875f2cd03f30d... git.kernel.org · CVE Record https://git.kernel.org/stable/c/19d43105a97be0810edbda875f2cd03f30dc130c
- git.kernel.org/stable/c/961cfa271a918ad4ae452420e7c30314900... git.kernel.org · CVE Record https://git.kernel.org/stable/c/961cfa271a918ad4ae452420e7c303149002875b
- git.kernel.org/stable/c/3115af9644c342b356f3f07a4dd1c8905cd... git.kernel.org · CVE Record https://git.kernel.org/stable/c/3115af9644c342b356f3f07a4dd1c8905cd9a6fc
- git.kernel.org/stable/c/8b88d99341f139e23bdeb1027a2a3ae10d3... git.kernel.org · CVE Record https://git.kernel.org/stable/c/8b88d99341f139e23bdeb1027a2a3ae10d341d82
Show 3 more references
- git.kernel.org/stable/c/fafe0fa2995a0f7073c1c358d7d3145bcc9... git.kernel.org · CVE Record https://git.kernel.org/stable/c/fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8
- git.kernel.org/stable/c/ce42ee423e58dffa5ec03524054c9d8bfd4... git.kernel.org · CVE Record https://git.kernel.org/stable/c/ce42ee423e58dffa5ec03524054c9d8bfd4f6237
- git.kernel.org/stable/c/a664bf3d603dc3bdcf9ae47cc21e0daec70... git.kernel.org · CVE Record https://git.kernel.org/stable/c/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5
Recommended Actions
- Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
- Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
- Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
Per-source evidence links for KEV attestations are available through the KEVIntel Pro API.
Learn about Pro API access| Source | Added |
|---|---|
| CVE First | 2026-06-01 13:26 UTC |
| CISA | 2026-06-02 14:01 UTC |
No detection artifacts or sensor request patterns are available for this CVE yet.
Check back as sensor telemetry and scanner integrations are updated.
Virtual Patch
Compensating WAF rules to help reduce exposure to this CVE. Rule content and deployable vendor exports are available with KEVIntel Enterprise.
KEVIntel does not currently have a virtual patch for this CVE. When available, KEVIntel virtual patches ship as deployable ModSecurity, Cloudflare, and AWS WAF rules.
Enterprise feature. Virtual patch rule content and deployable vendor exports (ModSecurity, Cloudflare, AWS WAF) are available to KEVIntel Enterprise users.
CVSS Scores
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitation Status
Exploited in the wild
Recorded 2026-06-01 13:26:07 UTC · CVE
Proof of concept available
Recorded 2026-05-06 09:49:14 UTC · GitHub
Weaknesses (CWE)
-
Improper Validation of Consistency within Input
-
Incorrect Resource Transfer Between Spheres
Recent Mentions
All CISA Advisories · Jul 14, 2026
View CSAF Summary ABB is aware of public reports of a vulnerability CVE‑2026‑31431 (Copy Fail) in the product versions listed as affected in the advisory. An update is available that resolves a publicly reported vulnerability. CVE‑2026‑31431 (Copy Fail) is a Linux kernel vulnerability that may allow a locally authenticated user or compromised container workload to gain elevated (root) privileges on affected systems. Once root access is obtained, the attacker can effectively gain complete control of the system The following versions of ABB Ability Edgenius are affected: Ability Edgenius >=3.2.0.0|<3.2.4.1 installed on ABB Ability Edgenius Gateway - bE100, >=3.2.0.0|<3.2.4.1 installed on ABB Ability Edgenius Gateway - E3100C, >=3.2.0.0|<3.2.4.1 installed on ABB Ability Edgenius Server - vE1000 (CVE-2026-31431, CVE-2026-31431, CVE-2026-31431) CVSS Vendor Equipment Vulnerabilities v3 7.8 ABB ABB Ability Edgenius Incorrect Resource Transfer Between Spheres Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2026-31431 CVE‑2026‑31431 (Copy Fail) is a Linux kernel vulnerability that may allow a locally authenticated user or compromised container workload to gain elevated (root) privileges on affected systems. The issue originates in the Linux kernel’s cryptographic subsystem and impacts kernels used by most major Linux distributions released since 2017. Successful exploitation requires local code execution, however, in shared, containerized, or multi‑tenant environments this may increase the security risk View CVE Details Affected Products ABB Ability Edgenius Vendor:ABB Product Version:ABB Ability Edgenius >=3.2.0.0|<3.2.4.1 installed on ABB Ability Edgenius Gateway - bE100, ABB Ability Edgenius >=3.2.0.0|<3.2.4.1 installed on ABB Ability Edgenius Gateway - E3100C, ABB Ability Edgenius >=3.2.0.0|<3.2.4.1 installed on ABB...
All CISA Advisories · Jun 23, 2026
View CSAF Summary B&R is aware of publicly reported vulnerabilities affecting the Linux kernel versions shipped with the products listed as affected in the advisory. Successful local exploitation of these vulnerabilities could allow an attacker to escalate privileges on the affected system. Public proof-of-concept exploits are available for the vulnerabilities described herein. At the time of publication of this advisory, B&R had no evidence of active exploitation targeting B&R products. The following versions of Impact of Linux Kernel vulnerabilities on B&R products are affected: Linux for B&R <=12 APROL X20EDS410 /all CVSS Vendor Equipment Vulnerabilities v3 7.8 B&R Industrial Automation GmbH Impact of Linux Kernel vulnerabilities on B&R products Incorrect Resource Transfer Between Spheres, Write-what-where Condition, Improper Privilege Management, Out-of-bounds Write, Multiple Releases of Same Resource or Handle Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2026-31431 In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly. View CVE Details Affected Products Impact of Linux Kernel vulnerabilities on B&R products Vendor:B&R Industrial Automation GmbH Product Version:B&R Industrial Automation GmbH Linux for B&R <=12, B&R Industrial Automation GmbH APROL Product Status:fixed, known_affected Remediations Vendor fixFor affected products, software updates should be installed upon availability. Product Patch version - APROL : APROL-AutoYaST-DVD-...
Juniper Security Advisories · Jun 01, 2026
Potential Proof of Concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2026-07-06 07:46:49 UTC · 0 stars
AF_ALG/splice 기반 Linux Page Cache 변조 취약점 분석 및 대응 실습
github · Created 2026-06-27 15:41:53 UTC · 0 stars
github · Created 2026-06-05 10:27:36 UTC · 0 stars
github · Created 2026-06-05 01:05:38 UTC · 0 stars
Exploit for Copy-Fail Vulnerability - Python3 Version
github · Created 2026-06-01 18:53:44 UTC · 0 stars
github · Created 2026-05-29 00:29:50 UTC · 0 stars
github · Created 2026-05-28 13:52:15 UTC · 0 stars
aarch64 and x64 python POC
github · Created 2026-05-21 19:43:50 UTC · 0 stars
CVE-2026-31431-CopyFail---Minified-LPE-PoC
github · Created 2026-05-21 07:36:55 UTC · 0 stars
github · Created 2026-05-18 22:14:21 UTC · 0 stars
github · Created 2026-05-18 07:44:05 UTC · 0 stars
Local Privilege Escalation. Flips the running user's UID to 0 in /etc/passwd's page cache, then invokes su for a root shell.
github · Created 2026-05-18 05:23:15 UTC · 6 stars
Research artifacts, PoC scripts, and lab assets for the Copy Fail Linux local privilege escalation writeup on https://4xura.com/binex/kernel/copy-fail
github · Created 2026-05-16 20:53:45 UTC · 0 stars
github · Created 2026-05-16 16:02:14 UTC · 2 stars
Automated Metasploit post-exploitation module for CVE-2026-31431 ("Copy Fail"). Weaponizes a deterministic logic flaw in the Linux kernel AF_ALG subsystem to achieve local privilege escalation (LPE) to root by safely corrupting a setuid binary directly in the shared Page Cache (RAM) without modifying files on disk
github · Created 2026-05-13 11:36:00 UTC · 0 stars
Reproduced the fileless LPE CVE‑2026‑31431 (“Copy Fail”) on Kali Linux, then built auditd, Sigma & YARA detections to catch this stealthy kernel exploit that leaves no disk footprint.
github · Created 2026-05-12 07:30:56 UTC · 1 stars
A CVE-2026-31431 implementation in c++ and inline assembly dependency free
github · Created 2026-05-11 13:35:49 UTC · 0 stars
Relatório de Análise Técnica: Exploração de Falha de Isolamento no Kernel Linux (CVE-2026-31431)
github · Created 2026-05-11 01:14:12 UTC · 0 stars
CVE-2026-31431 - Linux Kernel Page Cache Vulnerability
github · Created 2026-05-09 09:35:17 UTC · 0 stars
github · Created 2026-05-06 09:49:14 UTC · 2 stars
Exploit CVE-2026-31431 on Linux using a Rust implementation to achieve local privilege escalation via an arbitrary page cache write primitive.
github · Created 2026-05-04 05:58:50 UTC · 10 stars
Safe detection tooling for CVE-2026-31431 "Copy Fail" and CVE-2026-43284 "Dirty Frag" — a local privilege escalation in the Linux kernel's algif_aead module affecting all major distributions since 2017.
github · Created 2026-05-03 03:08:04 UTC · 0 stars
CVE-2026-31431 merupakan celah keamanan yang terjadi akibat kegagalan dalam proses penyalinan data (copy operation failure). Kerentanan ini muncul ketika sistem tidak melakukan validasi atau penanganan error dengan benar saat melakukan proses copy data dari satu buffer ke buffer lain
github · Created 2026-05-01 13:20:31 UTC · 0 stars
CVE-2026-31431 - Copy Fail - PoC exploit
github · Created 2026-04-30 23:40:58 UTC · 2 stars
「🧨」PoC (Proof of Concept) of Copy Fail Local Privilege Escalation in Linux Kernel
github · Created 2026-04-30 12:59:11 UTC · 9 stars
Copy Fail - CVE-2026-31431
github · Created 2026-04-30 09:56:23 UTC · 0 stars
Wazuh SCA Linux hardening policy for Copy Fail (CVE-2026-31431)
github · Created 2026-04-30 06:47:01 UTC · 0 stars
github · Created 2026-04-30 03:22:01 UTC · 2 stars
Detection rules for CVE-2026-31431 Linux LPE Vulnerability - Credit: (Copy Fail) https://copy.fail
github · Created 2026-03-08 17:40:11 UTC · 0 stars
A demo and explanation of CVE-2026-31431
Timeline
Key exploitation, disclosure, scanner coverage, and KEV attestation events for this CVE.
-
14:01 UTC about 2 months ago14:01 UTC · about 2 months ago
Added to CISA KEV
Listed in the CISA Known Exploited Vulnerabilities catalog
-
13:26 UTC about 2 months ago13:26 UTC · about 2 months ago
Added to KEVIntel KEV Feed
High-confidence, third-party attested exploitation
-
09:49 UTC 2 months ago09:49 UTC · 2 months ago
Public PoC available
Public proof-of-concept code published
-
08:15 UTC 3 months ago08:15 UTC · 3 months ago
CVE published
Vulnerability disclosed publicly
-
15:48 UTC 4 months ago15:48 UTC · 4 months ago
CVE ID reserved
Identifier reserved by the CNA
Automate This Intelligence with the Pro API
Confidence scoring, exploit status, sensor telemetry, PoCs, scanner integrations, mentions, and tags are available programmatically for VM, SOC, and CTI workflows.
Pro API Example
GET /api/v2/pro/kevs/CVE-2026-31431
{
"cve_id": "CVE-2026-31431",
"title": "crypto: algif_aead - Revert to operating out-of-place",
"affected_vendor": "Linux",
"affected_product": "Linux",
"affected_versions": [
{ "vendor": "...", "product": "...", "status": "affected", "display_label": "..." }
],
"confidence": "Confirmed",
"cvss_score": 7.8,
"epss_score": 0.96775,
"exploit_status": {
"exploited_in_the_wild": true,
"active_exploitation_observed": false
},
"sensor_telemetry": { "...": "Pro API fields" },
"proof_of_concepts": [ "..." ],
"scanner_integrations": [ "..." ]
}