Copy Fail: New Linux Bug Enables Root Access via Page-Cache Corruption
- May 1
- 3 min read
Key Findings
CVE-2026-31431 ("Copy Fail") allows any unprivileged local user to write 4 controlled bytes into the page cache of readable files
A 732-byte Python script can modify setuid binaries in memory and escalate privileges to root
The vulnerability affects all major Linux distributions (Ubuntu, RHEL, SUSE, Amazon Linux) with kernels built between 2017 and the patch date
Exploits are race-free, stealthy, and can cross container boundaries due to shared page cache
CVSS score of 7.8 indicates high severity
Background
Copy Fail emerged from AI-assisted analysis of the Linux kernel's cryptographic subsystem. Researchers at Xint Code discovered a logic bug in the authencesn AEAD cryptographic template that had gone undetected for years. The vulnerability resulted from a combination of long-standing design decisions and a 2017 in-place optimization that inadvertently created the attack surface.
The bug is fundamentally different from previous Linux privilege escalation flaws like Dirty Cow and Dirty Pipe. It's portable across architectures, requires no special kernel debugging features, and works reliably without race conditions.
How the Attack Works
The exploit leverages AF_ALG, the kernel's cryptographic socket interface that any unprivileged user can access. The attacker binds to the vulnerable authencesn AEAD mode and uses splice() to map page cache pages from a target file directly into the cryptographic operation's scatterlist.
During AEAD decryption, the kernel performs an in-place operation. The authencesn algorithm misuses the output buffer as scratch space and writes 4 bytes past the allowed boundary. In this configuration, that write lands directly in the page cache of the attacker's chosen file at a precise offset.
The attacker controls three critical parameters: which file to target, the exact offset within that file, and the 4-byte value to inject. By repeating this process multiple times, they can inject enough shellcode into the cached version of a setuid binary.
The Privilege Escalation Process
The typical attack targets /usr/bin/su, a setuid-root binary present on virtually all Linux systems. The attacker first opens an AF_ALG socket and binds it to the authencesn AEAD mode, requiring no elevated privileges.
For each 4-byte injection, the attacker prepares a cryptographic request where the AAD (Additional Authenticated Data) carries the exact bytes to inject. The splice() call maps the target file's page cache pages into the operation structure. When the attacker triggers recv(), the kernel executes the decrypt operation, reads the AAD data, and writes the 4 bytes into the page cache of the target binary.
Though the HMAC verification fails, the corrupted memory persists in the page cache. After multiple iterations inject sufficient code, the attacker simply runs execve("/usr/bin/su"). The kernel loads the modified version from the page cache instead of reading from disk. Since su runs with setuid-root privileges, the injected code executes as root.
Why Detection is Difficult
The corruption happens only in the page cache, never touching the actual file on disk. Because corrupted page-cache data is never marked dirty by the kernel in this scenario, disk files remain unchanged and appear completely normal. This makes the attack stealthy compared to approaches that modify files directly.
The page cache is shared across the system, which also means the attack can cross container boundaries in environments like Kubernetes. A compromised host can potentially compromise containers sharing the same kernel.
Affected Systems and Scope
Testing confirmed successful exploitation on Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, covering kernel versions 6.12 through 6.18. The vulnerability affects any Linux distribution with kernels built between 2017 and the official patch date.
The AF_ALG cryptographic API ships enabled in essentially every mainstream distribution's default kernel configuration, meaning the entire affected window is exploitable out of the box without special setup or pre-installed kernel features. No network access or debugging capabilities are required—only a local unprivileged user account.
Proof of Concept and Validation
Researchers published a demonstration showing the same 732-byte exploit successfully escalating a normal user (uid 1001) to root across all four tested distributions. They also released a PoC tool to allow system administrators and defenders to verify whether their own systems are vulnerable and to validate vendor-provided patches.
Sources
https://securityaffairs.com/191519/hacking/copy-fail-new-linux-bug-enables-root-via-page-cache-corruption.html
https://x.com/Cyber_O51NT/status/2049951489745969348

Comments