CVE-2026-31431 Copy Fail vs rootless containers
cve-2026-31431copy faillinux kernelrootless containerscontainer securityprivilege escalationkernel vulnerabilitycisa kevpodmancontainer escapelpecybersecurity

CVE-2026-31431 Copy Fail vs rootless containers

By Daniel MarshMay 5, 2026

Copy Fail (CVE-2026-31431): Rootless Containers and Host Takeovers: Understanding Copy Fail's Nuance

CVE-2026-31431 is more than a local privilege escalation (LPE). This vulnerability directly challenges the integrity of in-memory binaries and the isolation of the kernel's page cache, forcing a re-evaluation of fundamental assumptions about container security.

What Actually Happened: A Kernel Flaw from 2017

CVE-2026-31431, dubbed "Copy Fail," is a high-severity (CVSS 7.8) LPE within the Linux kernel's cryptographic subsystem. It resides in the algif_aead module, part of the AF_ALG userspace crypto API.

It was introduced in 2017 with commit 72548b093ee3. This commit implemented an in-place optimization for AEAD operations, where the kernel would reuse source memory as the destination during crypto operations. While intended for efficiency, this design introduced a critical logic error.

This bug impacts nearly every Linux distribution running kernels released since 2017, including Ubuntu 24.04 LTS, Amazon Linux 2023, and RHEL 10.1. The vulnerability's presence in the CISA Known Exploited Vulnerability (KEV) catalog confirms its active exploitation and critical risk.

The Mechanism: How a Failed Copy Corrupts Your System

The attack chain for Copy Fail is both precise and deterministic. It avoids race conditions or complex timing, making it highly reliable.

The attack sequence involves:

  1. Initial Access: An attacker requires local access as a non-privileged user, a common prerequisite that could stem from various compromised low-privilege environments.
  2. Crypto Interface Abuse: The exploit manipulates the interaction between the AF_ALG socket interface and the splice() system call. The algif_aead module exposes the kernel's AEAD ciphers to userspace via these AF_ALG sockets.
  3. In-Place Optimization Failure: Since 2017, the kernel sets req->src = req->dst for AEAD operations. When userspace feeds data into this socket using splice(), it chains tag pages from the source scatterlist into the output scatterlist. Critically, these tag pages reference the kernel's page cache of the spliced file.
  4. The 4-Byte Overwrite: The authencesn(hmac(sha256),cbc(aes)) algorithm, central to the exploit, writes four bytes as scratch space at a specific offset (assoclen + cryptlen). Due to the flaw, the output scatterlist extends beyond its intended boundary, writing directly into the chained page cache pages. These four bytes land within the spliced file's cached data in memory.
  5. Targeting Privileged Binaries: The attacker controls the target file, the write offset, and the 4-byte payload. A common technique demonstrated in public proof-of-concepts uses this to corrupt the in-memory representation of a setuid binary, such as /usr/bin/su. This primitive can be repeated at successive offsets to stage shellcode into the cached pages.
  6. Root Shell: When su is subsequently executed, it runs the patched (in-memory) binary, granting the attacker a root shell.

The exploit is notably compact and self-contained, requiring no networking, compilation, or third-party libraries. Its effectiveness stems from exploiting a direct logic flaw, not a race condition.

A close-up of a terminal screen showing a Python script with lines of code, partially obscured by a hand typing, in a dimly lit room with a subtle blue glow. The screen displays text that looks like a kernel exploit.
Close-up of a terminal screen showing a Python
Python PoC for CVE-2026-31431 in action.

The Impact: Container Escape, But With a Nuance

Full root privilege escalation is the immediate impact. This leads to severe consequences for data confidentiality, system integrity, and service availability. It enables container breakout, multi-tenant compromise, and lateral movement within shared environments. This aligns with MITRE ATT&CK techniques TA0004 (Privilege Escalation) and T1068 (Exploitation for Privilege Escalation). The stealth factor is also significant; modifying binaries only in memory bypasses traditional file integrity checks.

While Copy Fail enables "container escape," for properly configured rootless containers—those leveraging User Namespaces, like Podman—the exploit's success within the container does not automatically grant root on the host.

When an attacker achieves UID 0 (root) inside a rootless container, that UID 0 maps to an unprivileged user ID on the host system. The attacker gains full control within their container's namespace but does not become root on the host. User namespaces provide a critical isolation layer, preventing a direct host root takeover from an LPE inside the container.

Despite this isolation, risks remain due to the shared kernel page cache. Even if an attacker cannot directly escalate to host root, the ability to corrupt the kernel's page cache of any readable file on the host remains a serious concern. This capability, for instance, could serve as a stepping stone for a subsequent exploit, allowing an attacker to inject malicious code into cached host binaries that a privileged process might later execute, ultimately leading to host breakout.

Therefore, while rootless containers contain the immediate privilege escalation to the host, shared kernel resources, particularly the page cache, remain a critical attack surface. This subtle but significant risk challenges the perceived security boundary, even if it doesn't lead to an immediate sudo su on the host.

The Response: Patching, Detection, and Rethinking Boundaries

The fix, which essentially reverts the problematic 2017 optimization, is included in kernel versions 7.0, 6.19.12, or 6.18.22, along with corresponding distribution backports for older LTS lines.

Organizations should prioritize immediate action: identify all affected systems and apply the kernel updates promptly. If immediate patching is not feasible, consider interim mitigations. Restrict AF_ALG socket creation via seccomp profiles, container runtime defaults, or by disabling the CONFIG_CRYPTO_USER_API_AEAD module on hosts that do not require userspace crypto.

Monitoring for exploitation is also essential. Microsoft has released detections across its suite, including Exploit:Linux/CopyFailExpDl.A, Exploit:Python/CopyFail.A, Exploit:Linux/CVE-2026-31431.A, Behavior:Linux/CVE-2026-31431 for Antivirus and alerts in Defender for Endpoint and Cloud. Sysdig Secure offers a rule for "AF_ALG Page Cache Poisoning Leading to Privilege Escalation." For open-source options, a critical Falco rule, "Unexpected Process Using Kernel AEAD Crypto Socket," can detect the creation of AF_ALG SEQPACKET sockets from processes outside the known disk-encryption toolchain, providing a solid behavioral detection for suspicious activity.

A stylized, abstract representation of data flowing through a network, with glowing lines connecting nodes. The overall impression is one of complex, interconnected systems, with some lines appearing to break or diverge, suggesting a vulnerability.
Stylized, abstract representation of data flowing through
Data flow illustrating kernel page cache corruption.

This vulnerability underscores that despite robust containerization strategies, the underlying kernel remains the ultimate security control plane.

While not a traditional "container escape" for rootless setups, Copy Fail is a potent LPE that underscores the persistent risks of shared kernel resources, even when user namespaces provide a strong initial defense. Patching and continuous monitoring are crucial. The shared page cache, in particular, represents a subtle attack surface that warrants close attention.

Daniel Marsh
Daniel Marsh
Former SOC analyst turned security writer. Methodical and evidence-driven, breaks down breaches and vulnerabilities with clarity, not drama.