On April 29, 2026, Theori told the world about a new bug. The bug is in the Linux kernel. It gives any local user a path to root. The bug ID is CVE-2026-31431. Most call it Copy Fail. So if you run Ubuntu, Red Hat, AlmaLinux, SUSE, or AWS Linux, this is the Linux privilege escalation story of 2026. As a result, you need a Linux privilege escalation patch plan today.
Key Takeaways
- Copy Fail is a Linux privilege escalation bug. The CVSS score is 7.8.
- It hits most Linux distros since 2017. For example, Ubuntu, Red Hat, AlmaLinux, SUSE, and AWS Linux.
- A user can write 4 bytes into the kernel cache. As a result, root is yours in seconds.
- A working PoC is public. In addition, CISA added it to the KEV catalog.
- Ubuntu and AlmaLinux pushed fixes on May 1, 2026. However, Red Hat is still pending. So patch now.
Table of Contents
- What Is Linux Privilege Escalation in Copy Fail
- How the Linux Privilege Escalation Bug Works
- Who Is Affected by Linux Privilege Escalation
- How to Patch Linux Privilege Escalation Today
- Linux Privilege Escalation Detection Tips
- What Linux Privilege Escalation Teaches Us
- Summary
- FAQ
What Is Linux Privilege Escalation in Copy Fail
Copy Fail is a Linux privilege escalation bug. It lives in the kernel crypto code. The file is algif_aead.c. So any local user can become root.
According to the Microsoft blog, the flaw "enables Linux root privilege escalation across cloud environments." So any user with a shell can act fast. As a result, they get the keys. So container escape becomes a real Linux privilege escalation path. For example, a pod user gets root on the host.
Why does it matter? Because the same Linux privilege escalation works on millions of hosts. In addition, no race is needed. Older flaws like Dirty Cow had limits. However, Copy Fail is more reliable. So one shell gives one root.
Three Changes That Caused This Linux Privilege Escalation
This bug shows how good patches stack into bad outcomes. For example, three commits over time:
- 2011: The authencesn AEAD wrapper was added.
- 2015: AF_ALG socket support was added. So user space could use kernel crypto.
- 2017: An optimization was added to
algif_aead.c. As a result, performance went up.
Each change was fine on its own. However, stacked, they made a path. So users can now corrupt the page cache. In my view, this Linux privilege escalation pattern is common. For example, feature plus speed plus time can equal a quiet gap.
How the Linux Privilege Escalation Bug Works
Copy Fail lets a user write 4 bytes into the kernel cache. However, the file on disk does not change. In contrast, only the cached copy does. So that tiny edit is enough.
According to Help Net, the attack hits a setuid file. For example, su or sudo. As a result, the next run gives root. So no kernel module is needed for this Linux privilege escalation.
Why This Linux Privilege Escalation Beats Dirty Pipe
Have you tried Dirty Pipe? It works. However, Copy Fail wins in three ways.
- Reliable. For example, one exploit fits most kernels.
- No race. Older flaws needed perfect timing. In contrast, Copy Fail does not.
- Quiet. As a result, logs stay clean.
Who Is Affected by Linux Privilege Escalation
If your kernel is from 2017 to May 2026, assume you are hit by this Linux privilege escalation. So the list is wide. For example, almost every modern Linux distro.
According to Ubuntu, every release before 26.04 is hit. In addition, Red Hat, SUSE, AlmaLinux, Debian, and AWS Linux all confirmed. For example, the bad range covers 4.14 to 7.0-rc. In contrast, fixed builds start at 6.18.22 and 6.19.12.
Cloud Impact of Linux Privilege Escalation
So this is where Copy Fail hits most. Microsoft says it hits "a large share of cloud Linux workloads." In addition, millions of clusters are at risk. For example, EKS, AKS, and GKE on Ubuntu nodes. As a result, your control plane is exposed if a dev gets a worker shell.
Sound bad? It is. For example, we saw the same scope with the AWS Interconnect issue last year. So Linux privilege escalation in the cloud is a P0.
How to Patch Linux Privilege Escalation Today
Patch first. Investigate later. So here is the practical Linux privilege escalation patch order. For example, the same flow fits sysadmins, DevOps, and SREs.
Step 1: Check Your Kernel
Run this on every host:
uname -r
Is it older than the May 2026 build? If yes, you are at risk. For example, on Ubuntu 22.04 LTS, you need 5.15.0-XXX or newer.
Step 2: Apply the Vendor Patch
Update by distro:
- Ubuntu / Debian:
sudo apt update && sudo apt upgrade linux-image-generic - Red Hat / CentOS: Wait for the RHSA. However, you can build commit
a664bf3d603dif you cannot wait. - AlmaLinux:
sudo dnf update kernel(live since May 1, 2026). - SUSE:
sudo zypper update kernel-default.
Reboot after the update. The fix lives in the kernel. So a host stays open until the new kernel loads.
Step 3: Use the kmod Mitigation
According to Red Hat, you can disable the kernel module. So this is a stopgap:
echo "blacklist algif_aead" | sudo tee /etc/modprobe.d/copy-fail-mitigation.conf
Then reload modprobe. However, this breaks AF_ALG users. In contrast, most servers are fine. So test in staging.
Linux Privilege Escalation Detection Tips
Patching is the priority. However, you still want eyes on the host.
- Audit setuid. For example, run
find / -perm -4000 -type f 2>/dev/null. - Watch AF_ALG socket use. If you do not use it, audit any new use.
- Watch the page cache. For example, EDR like Sysdig ships Linux privilege escalation rules.
- Watch escape alerts. A spike of root in pods is a red flag.
What if a junior dev got root and could not say how? So that is the Linux privilege escalation case to watch for.
What Linux Privilege Escalation Teaches Us
Copy Fail shows that old kernel paths are still big targets for Linux privilege escalation. For example, clouds, runtimes, and distros all share the same code. So one bug hits every fleet.
So three lessons stand out for 2026:
- Patch SLAs matter. However, a 7-day window is too long. For example, PoCs land in 48 hours.
- Local is not low risk. In contrast, a local Linux privilege escalation can hit a whole cloud. So treat shells as sensitive.
- Read the changelogs. For example, Theori warned us first. As a result, fast teams won.
Summary
Copy Fail is a high-risk Linux privilege escalation bug in the kernel. It hits most distros since 2017. As a result, local users can get root fast. In addition, exploit code is public. So patch now. For example, Ubuntu and AlmaLinux pushed kernels on May 1, 2026. However, the kmod block is a fast Linux privilege escalation stopgap.
FAQ
Is Copy Fail a remote bug?
No. The bug needs local code. So a shell is needed first. However, the Linux privilege escalation risk is real. For example, cloud and CI/CD often hand out cheap shells.
What kernel versions are safe from this Linux privilege escalation?
Run a kernel with the upstream fix. For example, commit a664bf3d603d. In addition, the May 2026 update works. So for Ubuntu, that means May 1 or later. For mainline, 6.18.22 and 6.19.12 are first.
Does the kmod block break apps?
For most servers, no. AF_ALG is used by a small set of crypto tools. In addition, IPsec stacks use it. However, test in staging first.
Is this in the CISA KEV catalog?
Yes. CISA added CVE-2026-31431 to the KEV. For example, after a public PoC. So U.S. agencies have a tight clock.
Where can I learn more about Linux security?
Start with the Linux kernel security tree. In addition, your distro's mailing list helps. For example, Sysdig, Wiz, and Tenable share Linux privilege escalation news. So browse our other guides at ElevateWithB.
About the Author
Bhanu Prakash works in cloud and cyber. He has hands-on time with Linux, Kubernetes, and IR. He shares guides at ElevateWithB.
What to Read Next: See our guide on 10 Best Free Cloud Computing Courses You Need in 2026.
