InSEKurity of the Week (CW18/2026): Linux Kernel "Copy Fail" Privilege Escalation (CVE-2026-31431)

This week in our InSEKurity of the Week series: a nine-year-old logic flaw in the Linux kernel’s algif_aead crypto module that lets any local, unprivileged user write a controlled 4 bytes into the kernel’s page cache of any readable file — and from there pivot to root by tampering with the in-memory copy of /usr/bin/su or any other privileged binary. The bug — CVE-2026-31431, branded “Copy Fail” — reaches every mainstream distribution shipping a kernel built since 2017, exploits deterministically without race conditions, and breaks out of containers because the page cache is shared between the host and every container on the node. A public PoC is already on GitHub, the exploit fits in roughly 732 bytes of Python, and CISA added the CVE to its Known Exploited Vulnerabilities catalog on 2026-05-01 with a federal patching deadline of 2026-05-15. If you operate Linux fleets, Kubernetes clusters, multi-tenant cloud workloads, or CI/CD that runs untrusted code, this is the patch-now CVE of the month.

Summary

• CVE ID: CVE-2026-31431 (alias “Copy Fail” / “CopyFail”)
• CVSS 3.1 Score: 7.8 (High)
• CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• CWE: CWE-669 (Incorrect Resource Transfer Between Spheres)
• Affected Software: Linux kernel algif_aead (AF_ALG AEAD socket interface) — every mainline kernel from 4.14 through the patched per-LTS releases below; ships in Ubuntu (Bionic / Focal / Jammy / Noble / Questing), Debian (sid patched, stable/bookworm vulnerable), RHEL 8 / 9 / 10, Amazon Linux 2023, SUSE 16, Fedora, Rocky Linux 9.7, Arch Linux, and most container base images
• Attack Vector: Local (unprivileged user account on the target system; reachable from inside a container)
• Authentication Required: Yes — low-privilege local account
• User Interaction: None
• Impact: 4-byte controlled write into the page cache of any readable file -> tampering with the in-memory image of privileged binaries -> root on the host -> container escape on shared kernels
• Patch Status: Available — mainline fix crypto: algif_aead - Revert to operating out-of-place (kernel commit a664bf3d603d, 2026-04-01); per-LTS releases listed below
• Published: NVD 2026-04-22; vendor coordinated disclosure 2026-04-29
• Reported by: Taeyang Lee of Theori (discovered with the Xint Code AI-assisted security analysis tool)
• Exploitation Status: Public PoC released (~732-byte Python script on GitHub); deterministic; no race condition; CISA KEV listed 2026-05-01 with federal due date 2026-05-15

What is algif_aead / AF_ALG?

AF_ALG is the Linux kernel’s userspace crypto API: a socket family that lets a process ask the kernel to perform symmetric, hash, AEAD, or RNG operations over a socket. The userland code talks to a kernel module — algif_skcipher for symmetric ciphers, algif_hash for hashes, algif_aead for Authenticated Encryption with Associated Data (AEAD). The headline benefit is access to hardware-accelerated crypto (AES-NI, ARM CryptoExtensions, dedicated accelerators) without binding to a specific userspace library.

algif_aead specifically wires AEAD constructions like AES-GCM, ChaCha20-Poly1305, and the authencesn encrypt-then-MAC template into the AF_ALG socket plumbing. Production callers include cryptsetup / LUKS for disk encryption setup, firefox-esr in some distros, and a long tail of services that prefer kernel-side crypto over OpenSSL. The module is autoloaded the moment any process opens an AF_ALG socket of type aead — which means an unprivileged process on a default-configured Linux host can bring the vulnerable code path to life on demand.

Typical Use Cases

• LUKS / dm-crypt setup via cryptsetup — AEAD modes for authenticated disk encryption.
• Kernel TLS (kTLS) offload paths that fall back to AF_ALG on systems without inline crypto offload.
• Container images that depend on hardware-accelerated AEAD — the module is on by default on virtually every distro.
• Kubernetes workloads running cryptographic libraries that opportunistically prefer AF_ALG when available.
• Embedded and IoT Linux systems shipping recent enough kernels (4.14+) — routers, NVRs, industrial gateways.
• Cloud Linux VMs in Azure, AWS, GCP — including the marketplace images Microsoft has flagged in its own write-up.

Because algif_aead is loaded by an unprivileged socket call, the attacker does not need root to expose the bug — they only need to run code on the system. That makes containers, multi-tenant VMs, shared development boxes, and CI/CD runners high-risk targets.

Technical Analysis

Vulnerability Description

CVE-2026-31431 is an Incorrect Resource Transfer Between Spheres (CWE-669) in algif_aead. The Linux kernel maintainer’s commit message describes the fix tersely: “crypto: algif_aead - Revert to operating out-of-place”. The bug is the inverse of that: an in-place optimization added to algif_aead.c in 2017 lets the kernel reuse the source memory as the destination of an AEAD operation, on the assumption that the scatter-gather lists on either side of the operation refer to the same pages.

That assumption breaks when the source pages and the destination pages come from different kernel “spheres” — specifically, when the attacker uses splice(2) to plumb the page cache of a file the attacker can only read into the AEAD operation as input, while keeping the destination pointed at memory the attacker controls. The kernel writes the AEAD output back into the source side of the splice, and that source side is the page cache of the targeted file. The result is a deterministic, controlled 4-byte write into the in-memory copy of any file the attacker can open(O_RDONLY) — including SUID binaries, the dynamic linker, kernel modules on disk, container layer files, and so on.

The on-disk file is never modified. The change lives entirely in the page cache, so file-integrity tools (AIDE, Tripwire, dm-verity, auditd file watches, package-manager checksums) see nothing. As soon as the next process executes the targeted binary, the kernel maps the corrupted page into the new process’s address space and runs it.

Root Cause Analysis

1. Three-stage history (2011 / 2015 / 2017): the bug is the interaction of three independent kernel changes — the authencesn AEAD template (2011), AF_ALG AEAD socket support (2015), and the in-place optimization in algif_aead.c (2017). None of the three changes is wrong in isolation; combined, they violate the implicit boundary between the source and destination spheres of the AEAD operation.
2. Scatter-gather aliasing (CWE-669): the in-place optimization assumes the source and destination scatter-gather lists describe the same memory. When a splice() boundary creates source pages backed by the page cache of a read-only file, the AEAD output is written back into the page cache, crossing a security sphere.
3. splice() as the privilege-shift primitive: splice(fd_in -> AF_ALG_socket) lets the attacker hand the kernel page-cache pages from a file they only have read access to, while controlling what the AEAD operation produces.
4. authencesn template as the trigger: the authencesn (Encrypt-then-Authenticate with Sequence Number) template walks the in-place buffer in a way that produces the deterministic 4-byte overwrite in the source pages.
5. Page cache shared across processes and containers: Linux maintains exactly one page-cache copy of each file regardless of how many processes (or containers, on the same node) read it. A 4-byte write from a sandboxed container can therefore land in pages that the host kernel will hand to a host process on its next execve().
6. Default-loaded module on every distro: algif_aead is autoloaded when any process opens an AF_ALG AEAD socket. The attack surface is on by default; a hardening response that removes it is straightforward (see Mitigation) but not the default state.

Attack Vector

The public PoC is a ~732-byte Python script that walks through the steps below. The sketch here is illustrative only and intentionally non-functional — it shows the shape of the attack so defenders can recognize the relevant primitives.

# Step 1: Confirm the vulnerable module exposure on the target. The
# attacker only needs the module to be loadable - it autoloads on the
# first AF_ALG aead socket() call. As an unprivileged user:
ls /sys/class/misc/cryptd 2>/dev/null
grep -E '^algif_aead ' /proc/modules || echo "module not yet loaded"

# Step 2: Identify a privileged binary whose page cache the attacker
# wants to corrupt. /usr/bin/su, /usr/bin/sudo, /usr/bin/passwd,
# /usr/bin/chage are classic SUID targets. The dynamic linker
# /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 is another high-value
# target because it is mapped into every executable.
file /usr/bin/su /usr/bin/sudo /usr/bin/passwd 2>/dev/null
ls -l /usr/bin/su

# Step 3: The PoC opens an AF_ALG aead socket, attaches the
# `authencesn(...)` template, and uses splice() to feed the page cache
# of /usr/bin/su into the kernel as the AEAD source. The kernel writes
# the AEAD output back over the source pages - the page cache of su.
python3 - <<'PY'
# *** ILLUSTRATIVE ONLY - NOT A WORKING EXPLOIT ***
import socket, os
s = socket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET, 0)
s.bind(("aead", "authencesn(hmac(sha256),cbc(aes))"))
# Real PoC sets a key, IV, AAD, and uses splice() with /usr/bin/su as
# the source fd to drive the in-place AEAD primitive. The output of
# the operation lands in the page cache of /usr/bin/su, corrupting
# the in-memory copy of the SUID binary. The on-disk file is
# unchanged. The attacker chooses 4 bytes that turn an authentication
# branch in su into an unconditional success or that hijack a
# function-pointer table read by su at startup.
s.close()
PY

# Step 4: Trigger the corrupted binary. The next exec of /usr/bin/su
# in any process maps the tampered page cache, runs the modified code
# path, and elevates the attacker to UID 0. Disk forensics see nothing.
/usr/bin/su -
id

A simplified packet-level view of the attack:

Attacker (unpriv user / container)         Linux kernel
   |                                                 |
   |  socket(AF_ALG) -> bind aead authencesn(...)    |
   |------------------------------------------------>|  algif_aead
   |                                                 |  loaded
   |                                                 |
   |  splice(fd=/usr/bin/su, AEAD_socket)            |  source SG
   |  source = page-cache pages of su                |  list points
   |------------------------------------------------>|  at /usr/bin/su
   |                                                 |  page cache
   |                                                 |
   |  AEAD operation in-place                        |  in-place opt
   |  destination aliases source                     |  (2017 bug)
   |------------------------------------------------>|  4-byte
   |                                                 |  controlled
   |                                                 |  write back
   |                                                 |  to su page
   |                                                 |  cache
   |                                                 |
   |  exec /usr/bin/su -                             |  kernel maps
   |------------------------------------------------>|  corrupted
   |                                                 |  page on
   |                                                 |  exec
   |<-- root shell ----------------------------------|
   v                                                 v

Exploitation in the Wild

• 2026-03-23 — Theori privately reports the bug to the Linux kernel security team after Xint Code (their AI-assisted code-analysis tool) flags the in-place pattern in algif_aead.c.
• 2026-04-01 — Mainline fix lands as crypto: algif_aead - Revert to operating out-of-place (commit a664bf3d603d).
• 2026-04-22 — NVD publishes CVE-2026-31431 with CVSS 7.8 and CWE-669; per-LTS backports begin landing.
• 2026-04-29 — Coordinated public disclosure; Theori, Wiz, Tenable, Microsoft, Bugcrowd, and major distros publish writeups.
• 2026-04-30 — A working ~732-byte Python PoC appears on GitHub under the copy-fail-CVE-2026-31431 repository name.
• 2026-05-01 — CISA adds CVE-2026-31431 to the Known Exploited Vulnerabilities catalog; federal due date set to 2026-05-15. Microsoft Defender ships dedicated detections (Exploit:Linux/CopyFailExpDl.A, Behavior:Linux/CVE-2026-31431).
• 2026-05-04 / 05 — Distro patch coverage broadens (Ubuntu, AlmaLinux, SUSE, Fedora, CloudLinux, Arch, Debian sid). Some long-tail releases (Debian stable / bookworm, several RHEL minor streams) still pending at time of writing.

Post-Exploitation Impact

1. Local privilege escalation to root: a single exec of a tampered SUID binary lifts the attacker to UID 0.
2. Container escape: because the page cache is kernel-wide, a 4-byte write from a low-privilege container lands in pages the host kernel will serve to host processes — and to other containers sharing the same image layers.
3. Stealth by design: there is no on-disk modification — AIDE, Tripwire, dm-verity, package-manager checksums, and audit-based file integrity monitors all see a clean file system.
4. Reboot-resilient until reboot: the modification persists for the lifetime of the page (until cache eviction or reboot), so the attacker has a comfortable window to harvest credentials, install on-disk persistence, or pivot.
5. Kubernetes / multi-tenant blast radius: a single tenant on a shared node can corrupt host binaries that other tenants will execute, turning a per-pod compromise into a per-node compromise.
6. Supply-chain pivot: a malicious dependency in a CI/CD pipeline can exec once on a build host and own every downstream artifact built on that host until reboot.

Impact Assessment

Immediate Impact

• Local-auth, deterministic, CVSS 7.8 with no race: the AC:L / no-race quality is what differentiates Copy Fail from Dirty Cow (CVE-2016-5195) and Dirty Pipe (CVE-2022-0847).
• Universal Linux exposure: every kernel built since 2017 across every mainstream distro.
• Default-on attack surface: algif_aead autoloads on first AF_ALG AEAD socket call.
• Container-escape primitive: the page cache is shared by the host and every container on the node.
• Public PoC: ~732-byte Python; deterministic; reusable across distros.
• CISA KEV with federal due date 2026-05-15: regulatory deadline that strongly implies confirmed exploitation prospects.

Affected Versions

Linux Kernel Series	Vulnerable	Fixed In
4.14 — 5.10.x	All builds < 5.10.254	5.10.254
5.11 — 5.15.x	All builds < 5.15.204	5.15.204
5.16 — 6.1.x	All builds < 6.1.170	6.1.170
6.2 — 6.6.x	All builds < 6.6.137	6.6.137
6.7 — 6.12.x	All builds < 6.12.85	6.12.85
6.13 — 6.18.x	All builds < 6.18.22	6.18.22
6.19.x	All builds < 6.19.12	6.19.12
7.0 mainline	Not affected (fix merged)	7.0

Distro-specific package versions (Ubuntu USNs, RHSAs, Debian DSAs, AlmaLinux, SUSE) trail the upstream LTS branches by hours to a few days. Cross-reference your distro’s tracker before declaring a host patched.

Affected Environments

• Public-cloud Linux VMs (Azure, AWS, GCP, OCI) on every Linux marketplace image built since 2017.
• Kubernetes / OpenShift / EKS / AKS / GKE clusters running vulnerable kernels.
• Multi-tenant compute — shared SaaS runtimes, shared CI/CD runners, hosted notebooks (Jupyter, Colab-style), academic clusters.
• CI/CD build farms that execute untrusted code (third-party PRs, dependency builds, vendor SDKs).
• Container registries’ base images — Alpine and Debian / Ubuntu base layers all carry the vulnerable kernel module unless the host kernel is patched.
• Embedded / IoT Linux with kernels >= 4.14 — routers, NVRs, NAS appliances, industrial gateways, automotive Linux.
• Developer workstations — Linux laptops are exposed if the user runs untrusted code (npm install, pip install, malicious VS Code extensions).

Attacker Profiles

• Cloud-tenant attackers: a single foothold on a multi-tenant node escalates to host root and reaches the other tenants on the same kernel.
• Container-escape operators: the bug is one of the cleanest known primitives for a low-privilege container to break out to the host.
• Initial-access brokers: any web-shell / sshjack on a Linux host turns into root access in seconds.
• Ransomware affiliates: kernel-level access bypasses EDR user-mode hooks and lets attackers disable backup agents before encryption.
• CI/CD supply-chain attackers: a malicious dependency can exec once on a Linux build host and persist until reboot through the page cache.
• Insider threats: any logged-in user on a Linux server can become root with a public PoC and zero forensic footprint on disk.

Mitigation Strategies

Immediate Actions (Priority 1)

1. Patch the kernel to a fixed LTS release and reboot. This is the only durable fix:

   # Identify the running kernel and target version. Compare against the
   # table above. Anything below your LTS line's fixed build is exposed.
   uname -r
   
   # Debian / Ubuntu (apt-based) - ensure -security pocket is enabled.
   sudo apt-get update
   sudo apt-get install --only-upgrade linux-image-generic linux-image-$(uname -r | cut -d- -f3-)
   sudo reboot
   
   # RHEL / Rocky / Alma (dnf-based) - ensure RHSA / errata are applied.
   sudo dnf update kernel kernel-core kernel-modules --security
   sudo reboot
   
   # SUSE (zypper-based)
   sudo zypper patch --category=security
   sudo reboot

2. Hot mitigation if you cannot reboot immediately — blacklist the algif_aead module so AF_ALG AEAD sockets fail to autoload it:

   # Persistent blacklist via modprobe.d. Maps the load action to
   # /bin/false so any future autoload attempt fails. Survives reboot.
   echo "install algif_aead /bin/false" | \
       sudo tee /etc/modprobe.d/disable-algif-aead.conf
   
   # If the module is already loaded, unload it. If a process is using
   # it (cryptsetup, firefox-esr in some distros), rmmod will fail -
   # in that case schedule the change for the next maintenance window.
   sudo rmmod algif_aead 2>/dev/null || \
       echo "Module in use - schedule reboot to unload"
   
   # Verify the module is no longer loaded.
   grep -qE '^algif_aead ' /proc/modules && \
       echo "STILL LOADED" || \
       echo "OK: algif_aead is not loaded"

3. Belt-and-braces: block AF_ALG socket creation kernel-wide:

   # Add to /etc/modprobe.d - prevents the entire AF_ALG family from
   # autoloading. Cryptsetup, kTLS fallback paths, and any service
   # that opens AF_ALG will fail; test in a maintenance window.
   echo "install af_alg /bin/false" | \
       sudo tee /etc/modprobe.d/disable-af-alg.conf
   
   # For containers - apply seccomp profiles that deny socket() calls
   # with domain == AF_ALG (38). Docker / containerd / Kubernetes can
   # ship a custom seccomp profile to enforce this on every pod.

4. Rotate any secret that was reachable from a vulnerable host during the exposure window: SSH host keys, service-account credentials, kubeconfig tokens, cloud-provider IMDS-reachable role credentials. Assume container-shared filesystems may have been read.

5. Audit every Linux host for the running kernel version and treat unknown / pre-2017 / non-mainline kernels as suspect:

   # Cluster-wide one-shot inventory via Ansible / SSH for-loop. The
   # table above is the comparison. Anything below the fixed LTS build
   # is in scope for emergency patching.
   for h in $(cat hosts.txt); do
       printf "%-30s %s\n" "$h" "$(ssh $h 'uname -r')"
   done

6. For containers / Kubernetes: patch the node kernel. Patching pod images does not fix the bug — the kernel is shared from the host.

Detection Measures

There are two classes of signal: (a) exploitation attempts, observable from kernel module-load events and unusual AF_ALG socket activity; (b) post-exploitation, observable from suspicious privilege transitions following AF_ALG use.

# (a) Detect first-time loads of algif_aead in environments where it
# was previously absent. dmesg / kernel ringbuffer is the simplest
# source. Pipe to your SIEM via journald.
journalctl -k --since "1 hour ago" | grep -i algif_aead

# (b) auditd rule that flags any process opening an AF_ALG socket.
# AF_ALG = 38. A baseline of legitimate users (cryptsetup, etc.) is
# necessary - alert on the long tail.
sudo auditctl -a always,exit -F arch=b64 -S socket -F a0=38 \
    -k AFALG_SOCKET

# Review recent audit hits.
sudo ausearch -k AFALG_SOCKET --start recent

# (c) Hunt for processes that called AF_ALG and then exec'd a SUID
# binary within seconds - this is the canonical exploit shape.
# Falco / Tracee / eBPF-based runtime security tools are the right
# vehicle for this rule.

SIEM / detection content (Falco-style sketch):

- rule: CopyFail Exploit Pattern
  desc: Process opens AF_ALG aead socket and exec's SUID within 5s
  condition: >
    (evt.type=socket and evt.arg.domain=AF_ALG and proc.uid != 0)
    and (evt.type=execve and proc.is_suid_binary=true
         and proc.parent.duration_ms < 5000)
  output: >
    CopyFail-style behavior: %proc.name pid=%proc.pid
    parent=%proc.pname uid=%user.uid binary=%proc.exepath
  priority: CRITICAL

Microsoft Defender for Endpoint coverage (per Microsoft’s writeup):

• Exploit:Linux/CopyFailExpDl.A — file-based detection of the public PoC.
• Behavior:Linux/CVE-2026-31431 — behavioral detection of the exploit pattern.
• Microsoft Defender for Cloud alerts on “Potential exploitation of copy-fail vulnerability” for Azure Linux VMs.

Long-term Security Improvements

1. Default-deny seccomp for AF_ALG: most workloads do not need AF_ALG. Add socket(AF_ALG, ...) to the deny-list in your default seccomp profile (Docker, containerd, Kubernetes, systemd unit RestrictAddressFamilies=).
2. Aggressive kernel-patch SLAs: a 7-day SLA for kernel CVEs is the right floor; CISA-KEV-listed kernel CVEs deserve 72 hours. Live-patch tooling (kpatch, livepatch, kgraft) reduces the reboot cost.
3. Tenant isolation = node isolation: treat every multi-tenant Linux node as if a single-tenant compromise can reach root, because Copy Fail (and the LPE class generally) means it can.
4. Restrict who can run code on Linux hosts: developer SSH access, CI/CD runners executing third-party code, and Jupyter-like notebooks are the canonical local-LPE entry points. Move untrusted compute onto disposable, rapidly-rotated VMs.
5. Inventory kernel versions continuously: build a single source of truth for which hosts run which kernels. Patching is impossible without it.
6. Rehearse “the kernel was patched, but the page cache wasn’t”: until reboot, a compromised host’s page cache may still hold tampered binaries. Patch and reboot.
7. Migrate kernel-side crypto to userspace where practical: workloads that use AF_ALG purely for hardware acceleration can often switch to a userspace OpenSSL build linked against engine-mode hardware support, allowing AF_ALG to be disabled cluster-wide.

Why is this Critical?

1. Universal Linux exposure: every distro, every kernel from 2017 onwards, every cloud, every container.
2. Deterministic exploit, no race: the bug class is friendlier to attackers than Dirty Cow or Dirty Pipe.
3. Shared page cache breaks container isolation: a 4-byte write from a sandboxed container reaches the host.
4. Stealth by design: no on-disk modification, no file-integrity alerts, no checksum mismatch.
5. Public PoC + CISA KEV: the bar to weaponization is on the floor; the federal patching deadline reflects that.
6. Default-on attack surface: the vulnerable module autoloads on the first AF_ALG AEAD socket call.
7. Patch-and-reboot, not patch-only: in-memory state survives the package upgrade until the kernel actually swaps.

Timeline and Disclosure

• 2026-03-23 — Theori privately reports the bug to the Linux kernel security team; mainline embargo begins.
• 2026-04-01 — Mainline fix crypto: algif_aead - Revert to operating out-of-place lands (commit a664bf3d603d).
• 2026-04-22 — NVD publishes CVE-2026-31431 with CVSS 7.8, CWE-669.
• 2026-04-29 — Coordinated disclosure: Theori, Wiz, Tenable, Microsoft, Bugcrowd, Ubuntu, AlmaLinux, SUSE, CloudLinux, CERT-EU publish writeups and patch guidance. Help Net Security and BleepingComputer-class outlets carry the news.
• 2026-04-30 — Public ~732-byte Python PoC appears on GitHub.
• 2026-05-01 — CISA adds CVE-2026-31431 to the Known Exploited Vulnerabilities catalog with federal due date 2026-05-15.
• 2026-05-04 / 05 — Distro patch coverage broadens; Microsoft Defender behavioral detections live; long-tail releases (Debian stable / bookworm, several RHEL minor streams) still rolling out at time of writing.

Resources and References

• CVE: CVE-2026-31431
• NVD: NVD — CVE-2026-31431
• Linux Kernel CVE Announce: lore.kernel.org — CVE-2026-31431
• CWE: CWE-669: Incorrect Resource Transfer Between Spheres
• CISA KEV Catalog: Known Exploited Vulnerabilities
• Red Hat Security Bulletin: RHSB-2026-02 — Cryptographic Subsystem Privilege Escalation
• Ubuntu: Fixes available for CVE-2026-31431 (Copy Fail)

SEKurity Supports You

Vulnerabilities like Copy Fail are a reminder that “local privilege escalation only” is rarely a meaningful caveat in modern Linux estates: every multi-tenant node, every Kubernetes cluster, every CI/CD runner that executes third-party code, every developer workstation that pulls a malicious npm package is a candidate launchpad. The attack surface is the kernel, the blast radius is the node, and the stealth profile is “no on-disk evidence.” We help organizations measure their real exposure across Linux fleets and Kubernetes estates, validate that patches have actually shipped and that hosts have actually rebooted, and stress-test whether a kernel-level compromise would be detected before it becomes a multi-tenant incident.

Our Services

• Penetration Testing: Web applications, mobile apps (Android & iOS), SAP systems, Active Directory
• Large-Scale Attacks: Perimeter testing, IT infrastructure testing, Red Team engagements
• Security Awareness: Phishing campaigns, hacking demonstrations

Act now — before attackers do.

---

Contact:

Website: www.sekurity.de

Inquiries: www.sekurity.de/kontakt

LinkedIn: SEKurity GmbH

---

Your SEKurity Team — Your Trusted Adversaries

The security of your Linux fleet is our drive.

---

Sources

• CVE-2026-31431 Detail — NVD
• Linux Kernel CVE Announce — CVE-2026-31431
• Copy Fail: Universal Linux Local Privilege Escalation Vulnerability — Wiz Blog
• Copy Fail (CVE-2026-31431): Linux Kernel Privilege Escalation FAQ — Tenable
• CVE-2026-31431: Copy Fail vulnerability enables Linux root privilege escalation — Microsoft Security Blog
• Nine-year-old Linux kernel flaw enables reliable local privilege escalation — Help Net Security
• What we know about Copy Fail (CVE-2026-31431) — Bugcrowd
• Fixes available for CVE-2026-31431 (Copy Fail) — Ubuntu
• RHSB-2026-02 Cryptographic Subsystem Privilege Escalation — Red Hat
• Copy Fail (CVE-2026-31431) Patches Released — AlmaLinux
• CERT-EU: High Vulnerability in the Linux Kernel (“Copy Fail”)
• CWE-669: Incorrect Resource Transfer Between Spheres — MITRE