1. Description

CVE-2026-31431 ("Copy Fail") is a local privilege escalation (LPE) vulnerability in the Linux kernel's authencesn cryptographic template, disclosed on 29 April 2026 by Theori security research.

The flaw was introduced by an in-place optimization in the algif_aead kernel module in 2017. It allows any unprivileged local user to write 4 controlled bytes into the page cache of any readable file, including setuid binaries without modifying the file on disk. By corrupting the in-memory representation of a setuid binary, an attacker can gain root (uid=0) privileges.

2. Mitigation Steps

Apply the following workaround on all affected servers. This disables the algif_aead kernel module at boot time, preventing the exploit from executing. A REBOOT is required.

Step 1 — Edit GRUB configuration

Open the GRUB default configuration file:

sudo vi /etc/default/grub

Step 2 — Edit GRUB configuration

Locate the GRUB_CMDLINE_LINUX line and append the parameter (initcall_blacklist=algif_aead_init) inside the quotes.

After modification (e.g.):

grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"

Step 3 — Reboot the server

sudo reboot

Step 4 — Verify mitigation

After reboot, confirm the parameter is active in the kernel command line:

cat /proc/cmdline | grep algif

Expected output should contain: initcall_blacklist=algif_aead_init